AWS S3 Object encryption with SSE-C

cloudtrail

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1486-data-encrypted-for-impact

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects attempts to encrypt AWS S3 objects using server-side encryption with customer-provided keys (SSE-C).

Strategy

This rule monitors CloudTrail logs for S3 object operations (CopyObject and PutObject) where customer-provided encryption keys are used. When external encryption is applied to S3 objects, the rule detects this by examining the @requestParameters.x-amz-server-side-encryption-customer-algorithm attribute. This activity warrants attention since attackers can leverage SSE-C encryption with their own keys to make objects inaccessible to legitimate owners, essentially enabling ransomware-style attacks.

Triage & Response

  1. Verify if the detected activity aligns with approved change management processes or expected administrative actions.
  2. Examine the actor {{@userIdentity.arn}} and {{@userIdentity.accessKeyId}} to determine if they are authorized to perform encryption operations on the affected S3 buckets.
  3. Check if the affected S3 bucket {{@requestParameters.bucketName}} contains sensitive or critical data that would be valuable for ransomware targets.
  4. Revoke the access key {{@userIdentity.accessKeyId}} if determined to be unauthorized or compromised.
  5. Restore affected objects from backups if available and confirmed encrypted without authorization.
  6. Implement S3 bucket policies to restrict the use of SSE-C encryption to approved roles and service accounts only.