Detectionhighexperimental
AWS KMS Imported Key Material Usage
Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
AWScloudtrail
ProductAWS← raw: aws
Servicecloudtrail← raw: cloudtrail
Detection Logic
Detection Logic1 selector
detection:
selection:
eventSource: 'kms.amazonaws.com'
eventName:
- 'ImportKeyMaterial'
- 'DeleteImportedKeyMaterial'
condition: selectionFalse Positives
Legitimate use cases for imported key material are rare, but may include, Organizations with hybrid cloud architectures that import external key material for compliance requirements.
Development or testing environments that simulate external key management scenarios. Even in these cases, such activity is typically infrequent and should not add significant noise.
MITRE ATT&CK
Techniques
Sub-techniques
Rule Metadata
Rule ID
1279262f-1464-422f-ac0d-5b545320c526
Status
experimental
Level
high
Type
Detection
Created
Sat Oct 18
Author
Path
rules/cloud/aws/cloudtrail/aws_kms_import_key_material.yml
Raw Tags
attack.impactattack.t1486attack.resource-developmentattack.t1608.003