AWS S3 Object encryption with SSE-C

Goal

Detects attempts to encrypt AWS S3 objects using server-side encryption with customer-provided keys (SSE-C).

Strategy

This rule monitors CloudTrail logs for S3 object operations (CopyObject and PutObject) where customer-provided encryption keys are used. When external encryption is applied to S3 objects, the rule detects this by examining the @requestParameters.x-amz-server-side-encryption-customer-algorithm attribute. This activity warrants attention since attackers can leverage SSE-C encryption with their own keys to make objects inaccessible to legitimate owners, essentially enabling ransomware-style attacks.

Triage & Response

  1. Verify if the detected activity aligns with approved change management processes or expected administrative actions.
  2. Examine the actor {{@userIdentity.arn}} and {{@userIdentity.accessKeyId}} to determine if they are authorized to perform encryption operations on the affected S3 buckets.
  3. Check if the affected S3 bucket {{@requestParameters.bucketName}} contains sensitive or critical data that would be valuable for ransomware targets.
  4. Revoke the access key {{@userIdentity.accessKeyId}} if determined to be unauthorized or compromised.
  5. Restore affected objects from backups if available and confirmed encrypted without authorization.
  6. Implement S3 bucket policies to restrict the use of SSE-C encryption to approved roles and service accounts only.