[Rule Tuning] AWS S3 Object Encryption Using External KMS Key (#5399)

Rule is alerting as expected, with low telemetry volume. Updates to rule query are to provide more alert context as an ESQL rule.
- reduced execution window
- added additional fields for more alert context, include customer-requested `data_stream.namespace` field
- added highlighted fields
- updated description and investigation guide

(cherry picked from commit b3d7804)

Author: imays11

rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml

@@ -2,61 +2,143 @@
 creation_date = "2024/07/02"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/02"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption.
-Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS
-key to deny their victims access to their own data.
+Identifies use of the S3 CopyObject API where the destination object is encrypted using an AWS KMS key from an external
+AWS account. This behavior may indicate ransomware-style impact activity where an adversary with access to a
+misconfigured S3 bucket encrypts objects using a KMS key they control, preventing the bucket owner from decrypting their
+own data. This technique is a critical early signal of destructive intent or cross-account misuse.
 """
 false_positives = [
     """
-    Administrators within an AWS Organization structure may legitimately encrypt bucket objects with a key from an
-    account different from the target bucket. Ensure that this behavior is not part of a legitimate operation before
-    taking action.
+    Cross-account KMS key usage may be legitimate in multi-account AWS Organizations architectures where centralized
+    encryption keys are used for data governance or auditing workflows. Confirm whether the external KMS key belongs to
+    an expected account before taking action. Data migration or cross-account backup workflows may legitimately
+    re-encrypt S3 objects using a key in another account. Ensure these workflows are documented, tied to known IAM
+    roles, and occur on predictable schedules.
     """,
 ]
-from = "now-9m"
+from = "now-6m"
 language = "esql"
 license = "Elastic License v2"
 name = "AWS S3 Object Encryption Using External KMS Key"
 note = """## Triage and analysis
 
-### Investigating AWS S3 Object Encryption Using External KMS Key
-
-This rule detects the use of an external AWS KMS key to encrypt objects within an S3 bucket. Adversaries with access to a misconfigured S3 bucket may use an external key to copy objects within a bucket and deny victims the ability to access their own data.
-This rule uses [ESQL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule) to look for use of the `CopyObject` operation where the target bucket's `cloud.account.id` is different from the `key.account.id` dissected from the AWS KMS key used for encryption.
-
-#### Possible Investigation Steps:
-
-- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.
-- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `CopyObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications or usage of an unknown KMS keyId.
-- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
-- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the object was copied. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.
-- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.
-- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects including older object versions.
-- **Interview Relevant Personnel**: If the copy event was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing S3 buckets.
-
-### False Positive Analysis:
-
-- **Legitimate Administrative Actions**: Confirm if the `CopyObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.
-- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
-
-### Response and Remediation:
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. 
+> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.
 
-- **Immediate Review**: If the activity was unauthorized, search for potential ransom note placed in S3 bucket and review the bucket's access logs for any suspicious activity.
-- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `CopyObject` actions, especially those involving sensitive data or unusual file extensions.
-- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.
-- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.
-- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.
-
-### Additional Information:
+### Investigating AWS S3 Object Encryption Using External KMS Key
 
-For further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:
-- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)
-- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)
+This rule detects when an S3 `CopyObject` operation encrypts an object using a KMS key belonging to a different AWS account than the bucket owner. This behavior is unusual and a strong indicator of:
+
+- Cloud ransomware techniques, where adversaries encrypt data using a key only they control.
+- Cross-account privilege misuse, especially when an unauthorized principal has write access to S3.
+- Misconfigured bucket permissions, enabling principals from another account to perform privileged copy operations.
+- Early impact-stage activity in incidents where attackers prepare to destroy availability or deny the owner access.
+
+The rule uses ESQL to identify cases where the `cloud.account.id` (bucket owner) differs from the dissected `kms_key_account_id` used for encrypting the new object version.
+
+
+#### Possible investigation steps
+
+**Identify the actor and access pathway**
+- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`.
+- Check whether the caller is:
+  - A legitimate cross-account automation role,  
+  - A compromised IAM user or workload identity, or  
+  - A federated identity behaving outside of normal patterns.
+- Inspect `user_agent.original` to determine whether the action came from the AWS Console, CLI, SDK, or unusual tooling.
+
+**Analyze the encryption behavior**
+- Inspect the dissected KMS key fields:
+  - `Esql.aws_cloudtrail_request_parameters_kms_key_account_id`
+  - `Esql.aws_cloudtrail_request_parameters_kms_key_id`
+- Confirm whether the external key:
+  - Belongs to an attacker-controlled account,  
+  - Is unknown to your organization, or  
+  - Lives in a shared or security tooling account.
+
+**Assess the objects affected**
+- Review:
+  - `Esql.aws_cloudtrail_request_parameters_target_bucket_name`
+  - `Esql.aws_cloudtrail_request_parameters_target_object_key`
+- Identify:
+  - Whether objects were overwritten or new encrypted copies were created.
+  - The sensitivity or criticality of the affected data.
+  - Whether object versioning is enabled (important for recovery).
+
+**Correlate surrounding access patterns**
+Pivot in CloudTrail on:
+- The same access key ID  
+- The same IAM principal  
+- Affected bucket ARN  
+
+Look for:
+- `DeleteObject` or `DeleteObjects` calls (common in ransomware behavior)
+- Mass enumeration prior to the event (`ListObjectsV2`, `GetObject`)
+- Other impact-stage actions (`PutBucketPolicy`, `PutBucketAcl`, disabling logging)
+- Attempts to encrypt additional objects in rapid succession
+
+**Evaluate bucket permissions and exposure**
+Review:
+- S3 bucket policy changes
+- IAM roles with `s3:PutObject` or `s3:PutObjectAcl` permissions
+- Whether unintended cross-account `Principal` entries exist
+- Whether the KMS key policy explicitly trusts your account or a foreign one
+
+**Validate business justification**
+- Confirm with storage, data engineering, or application teams whether:
+  - Any migration, transformation, or backup workflows should be encrypting objects cross-account.
+  - Scheduled jobs or CI/CD pipelines were operating at the time of the event.
+
+### False positive analysis
+
+- **Expected cross-account encryption**  
+  Many organizations use centralized encryption accounts or shared security accounts. Validate:
+  - Whether the KMS key account is part of your AWS Organization
+  - Whether the workflow, role, or application is documented
+  - Whether the principal routinely performs CopyObject operations
+
+### Response and remediation
+
+**Contain and prevent further impact**
+- Immediately restrict S3 write access for the principal involved.
+- If the KMS key is attacker-controlled, the impacted objects may be unrecoverable without versioning.
+- If object versioning is disabled, enable it on the affected bucket to strengthen future resilience.
+
+**Investigate scope and severity**
+- Identify:
+  - Additional objects encrypted using external keys
+  - Related suspicious actions (delete, modify, exfiltration events)
+  - Whether any ransom markers or unauthorized files were uploaded
+- Validate whether the external KMS key grants *decrypt* permission back to the bucket owner (rare in attacker use).
+
+**Recover and secure the bucket**
+- Restore accessible previous versions if versioning is enabled.
+- Revoke unauthorized access key pairs or session credentials.
+- Audit bucket policies, ACLs, and IAM conditions (`aws:PrincipalArn`, `aws:SourceAccount`, `aws:SourceArn`).
+- Tighten cross-account access controls:
+  - Remove unintended `Principal` clauses
+  - Restrict KMS usage to known accounts
+  - Enforce SCPs that block cross-account KMS use unless explicitly approved
+
+**Long-term hardening**
+- Integrate object-level access logging and S3 server access logging into security monitoring.
+- Add AWS Config rules (or Security Hub controls) detecting:
+  - Public buckets
+  - Cross-account access to S3
+  - KMS policies permitting foreign principals
+- Document required cross-account workflows and add explicit allowlists.
+
+### Additional information
+
+- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
+- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
+- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
 """
 references = [
     "https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html/",
@@ -66,7 +148,7 @@ references = [
 ]
 risk_score = 47
 rule_id = "ab8f074c-5565-4bc4-991c-d49770e19fc9"
-setup = "AWS S3 data event types need to be enabled in the CloudTrail trail configuration."
+setup = "AWS S3 data event types need to be enabled in the CloudTrail trail configuration for CopyObject events."
 severity = "medium"
 tags = [
     "Domain: Cloud",
@@ -101,13 +183,25 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
 // keep ECS and dissected fields
 | keep
   @timestamp,
+  data_stream.namespace,
+  user.name,
+  user_agent.original,
+  source.ip,
   aws.cloudtrail.user_identity.arn,
-  cloud.account.id,
+  aws.cloudtrail.user_identity.type,
+  aws.cloudtrail.user_identity.access_key_id,
+  aws.cloudtrail.resources.arn,
+  aws.cloudtrail.resources.type,
   event.action,
+  event.outcome,
+  cloud.account.id,
+  cloud.region,
+  aws.cloudtrail.request_parameters,
+  aws.cloudtrail.response_elements,
   Esql.aws_cloudtrail_request_parameters_target_bucket_name,
+  Esql.aws_cloudtrail_request_parameters_target_object_key,
   Esql.aws_cloudtrail_request_parameters_kms_key_account_id,
-  Esql.aws_cloudtrail_request_parameters_kms_key_id,
-  Esql.aws_cloudtrail_request_parameters_target_object_key
+  Esql.aws_cloudtrail_request_parameters_kms_key_id
 '''
 
 
@@ -124,3 +218,26 @@ id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "aws.cloudtrail.resources.arn",
+    "aws.cloudtrail.resources.type",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements",
+    "Esql.aws_cloudtrail_request_parameters_target_bucket_name",
+    "Esql.aws_cloudtrail_request_parameters_target_object_key",
+    "Esql.aws_cloudtrail_request_parameters_kms_key_account_id",
+    "Esql.aws_cloudtrail_request_parameters_kms_key_id",
+]
+