Classification:

attack

Tactic:

TA0040-impact

Technique:

T1486-data-encrypted-for-impact

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects attempts to encrypt AWS S3 objects using server-side encryption with customer-provided keys (SSE-C).

Strategy

This rule monitors CloudTrail logs for S3 object operations (CopyObject and PutObject) where customer-provided encryption keys are used. When external encryption is applied to S3 objects, the rule detects this by examining the @requestParameters.x-amz-server-side-encryption-customer-algorithm attribute. This activity warrants attention since attackers can leverage SSE-C encryption with their own keys to make objects inaccessible to legitimate owners, essentially enabling ransomware-style attacks.

Triage & Response

1. Verify if the detected activity aligns with approved change management processes or expected administrative actions.
2. Examine the actor {{@userIdentity.arn}} and {{@userIdentity.accessKeyId}} to determine if they are authorized to perform encryption operations on the affected S3 buckets.
3. Check if the affected S3 bucket {{@requestParameters.bucketName}} contains sensitive or critical data that would be valuable for ransomware targets.
4. Revoke the access key {{@userIdentity.accessKeyId}} if determined to be unauthorized or compromised.
5. Restore affected objects from backups if available and confirmed encrypted without authorization.
6. Implement S3 bucket policies to restrict the use of SSE-C encryption to approved roles and service accounts only.