KQL Search

Query Details

HomeAI ToolsDevice Query

AWS Cloud Trail AWS S3 Object Encrypted With External Key

Query

AWSCloudTrail
| where EventName == "PutObject" and RequestParameters has_any ("x-amz-server-side-encryption-aws-kms-key-id", "x-amz-server-side-encryption-customer-algorithm")
| extend
    BucketName = tostring(todynamic(RequestParameters)["bucketName"]),
    ObjectName = tostring(todynamic(RequestParameters)["key"]),
    KmsKeyId = tostring(todynamic(RequestParameters)["x-amz-server-side-encryption-aws-kms-key-id"])
| where not(isnotempty(KmsKeyId) and KmsKeyId has RecipientAccountId)
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    BucketName,
    ObjectName,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This query looks at AWS CloudTrail data for events where an object is uploaded with server-side encryption using either AWS KMS or customer-managed keys. It then extracts relevant information like bucket name, object name, and encryption key ID. It filters out events where the encryption key ID does not have a recipient account ID. Finally, it retrieves various details about the event and user identity before projecting the desired output fields.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: April 1, 2024

Tables

AWSCloudTrail

Keywords

Devices,Intune,User,AWSCloudTrail,RequestParameters,KmsKeyId,BucketName,ObjectName,RecipientAccountId,TimeGenerated,UserIdentityType,Identity,ActorRole,UserIdentityAccountId,UserIdentityAccountName,RecipientAccountName,AWSRegion,SessionCreationDate,UserIdentityPrincipalid,UserIdentityArn,SourceIpAddress,EventSource,EventTypeName,EventName,ManagementEvent,ReadOnly,ErrorCode,ErrorMessage,ResponseElements,Resources,SessionMfaAuthenticated,UserAgent,AwsEventId

Operators

where==andhas_anyextendtostringtodynamicnotisnotemptyhasinvokeproject

Actions