PutKeyPolicy
Event
Modifies a KMS key policy to grant cross-account access or expand key usage permissions.
Security Context
- KMS key policies are resource-based policies that can grant any AWS principal full cryptographic operations, enabling an attacker to decrypt sensitive data or grant cross-account access to encryption keys.
- Modifying a key policy to add an external account effectively exfiltrates the ability to decrypt data without needing to move the encrypted data itself.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Privilege Escalation
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.