AWS S3 Object encryption with SSE-C

cloudtrail

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1486-data-encrypted-for-impact

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detects attempts to encrypt AWS S3 objects using server-side encryption with customer-provided keys (SSE-C).

Strategy

This rule monitors CloudTrail logs for S3 object operations (CopyObject and PutObject) where customer-provided encryption keys are used. When external encryption is applied to S3 objects, the rule detects this by examining the @requestParameters.x-amz-server-side-encryption-customer-algorithm attribute. This activity warrants attention since attackers can leverage SSE-C encryption with their own keys to make objects inaccessible to legitimate owners, essentially enabling ransomware-style attacks.

Triage & Response

  1. Verify if the detected activity aligns with approved change management processes or expected administrative actions.
  2. Examine the actor {{@userIdentity.arn}} and {{@userIdentity.accessKeyId}} to determine if they are authorized to perform encryption operations on the affected S3 buckets.
  3. Check if the affected S3 bucket {{@requestParameters.bucketName}} contains sensitive or critical data that would be valuable for ransomware targets.
  4. Revoke the access key {{@userIdentity.accessKeyId}} if determined to be unauthorized or compromised.
  5. Restore affected objects from backups if available and confirmed encrypted without authorization.
  6. Implement S3 bucket policies to restrict the use of SSE-C encryption to approved roles and service accounts only.
PREVIEWING: bryce/soar-blog