Try in Splunk Security Cloud


This search provides detection of KMS keys where action kms:Encrypt is accessible for everyone (also outside of your organization). This is an indicator that your account is compromised and the attacker uses the encryption key to compromise another company.

  • Type: TTP
  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2021-01-11
  • Author: Rod Soto, Patrick Bareiss Splunk
  • ID: c79c164f-4b21-4847-98f9-cf6a9f49179e


ID Technique Tactic
T1486 Data Encrypted for Impact Impact
`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy 
| spath input=requestParameters.policy output=key_policy_statements path=Statement{} 
| mvexpand key_policy_statements 
| spath input=key_policy_statements output=key_policy_action_1 path=Action 
| spath input=key_policy_statements output=key_policy_action_2 path=Action{} 
| eval key_policy_action=mvappend(key_policy_action_1, key_policy_action_2) 
| spath input=key_policy_statements output=key_policy_principal path=Principal.AWS 
| search key_policy_action="kms:Encrypt" AND key_policy_principal="*" 
| stats count min(_time) as firstTime max(_time) as lastTime by eventName eventSource eventID awsRegion userIdentity.principalId 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 

Associated Analytic Story

How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs

Required field

  • _time
  • eventName
  • eventSource
  • eventID
  • awsRegion
  • requestParameters.policy
  • userIdentity.principalId

Kill Chain Phase

Known False Positives



Risk Score Impact Confidence Message
25.0 50 50 AWS account is potentially compromised and user $userIdentity.principalId$ is trying to compromise other accounts.


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1