|
Data Encrypted for Impact: S3 Encryption - SSE-C Key Encryption
AWS Specific Sub-Technique
Other sub-techniques of Data Encrypted for Impact (1)
| ID | Name |
|---|---|
| T1486.A001 | S3 Encryption - SSE-C Key Encryption |
AWS Specific Content
A prerequisite for this technique is that a threat actor has already gained control of an AWS identity with the permissions to use the
s3:CopyObject API to encrypt objects within an AWS account.Using this technique, a threat actor can use their own encryption key to encrypt the contents of a bucket, which is sometimes used as part of a ransomware campaign. This technique is related to Cloud Storage Discovery > S3 Objects and Buckets, as a threat actor may view information about buckets in the AWS account (
s3:ListBuckets) and view objects in the buckets (s3:ListObjects) prior to using an encryption key in their control to encrypt objects.Detection
AWS Specific Content
When this technique is used by the threat actor, actions taken by the threat actor using the credentials obtained will be logged in CloudTrail. To view object-level API activity such as
s3:CopyObject, you will need to log data events with a separate CloudTrail trail as object-level API activity will not show up in CloudTrail Event history.A separate CloudTrail trail will give you an ongoing record of events in your AWS account past 90 days and can be configured to log events in multiple regions. You can also review events using the console as well as the AWS CLI.
You can also create CloudWatch alarms based on specific S3 metrics or logs to alert on unusual activity. These alerts can help you identify anomalous behavior quickly. You can also set up automation that uses Amazon EventBridge and AWS Lambda to automatically take corrective measures. You can find an example implementation of a setup used to scan buckets across an organization and apply S3 Block Public Access. This blog post hows you how to audit encryption methods for object uploads in real time.
| ID | Data Source | Data Component | Description |
|---|---|---|---|
| DS0010 | Cloud Storage | Cloud Infrastructure Log Content | If the bucket has data events enabled, look for `CopyObject` events where the `requestParameters` and `responseElements` include the use of the parameter `x-amz-server-side-encryption-customer-algorithm`. If there are such events, the event record should include the `principalId`, `accessKeyId` and `userName` values. |
Mitigation
AWS Specific Content
If your applications don’t use SSE-C as an encryption method, you can block the use of SSE-C with a resource policy applied to an S3 bucket, or by a resource control policy (RCP) applied to an organization in AWS Organizations
Resource policies for S3 buckets are commonly referred to as bucket policies and allow customers to specify permissions for individual buckets in S3. A bucket policy can be applied using the S3
PutBucketPolicy API operation, the AWS Command Line Interface (CLI), or through the AWS Management Console. Learn more about how bucket policies work in the S3 documentation. The following example shows a bucket policy that blocks SSE-C request for a bucket called <your-bucket-name>.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictSSECObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<your-bucket-name>/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption-customer-algorithm": "false"
}
}
}
]
}
RCPs allow customers to specify the maximum available permissions that apply to resources across an entire organization in AWS Organizations. An RCP can be applied by using the AWS Organizations UpdatePolicy API operation, the AWS Command Line Interface (CLI), or through the AWS Management Console. Learn more about how RCPs work in the AWS Organizations documentation. The following example shows an RCP that blocks SSE-C requests for buckets in the organization.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictSSECObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption-customer-algorithm": "false"
}
}
}
]
}
Additional information on this technique is available in this blog post.
This technique is typically used by threat actors as part of a ransomware campaign. AWS has published several resources on how to protect against ransomware and mitigate some of the actions described by this technique.
It is also possible to block the use of IAM user and IAM role credentials outside of trusted IP networks using Service Control Policies. Examples of these policies are available in the aws-samples repository for data perimeters, and include a sample policy for IAM users and a sample policy for IAM roles.
| ID | Mitigation | Description |
|---|---|---|
| AM1996 | Limit Permissions |
Limit the amount of IAM users with the permissions
|
| AM1998 | Bucket Policy |
You can apply a bucket policy to restrict encryption with SSE-C keys. An example of a bucket policy that will accomplish this for the bucket named `s3://amzn-s3-demo-bucket` is outlined below (note - the customer should test this in a development environment before deploying this into production):
{
"Version": "2012-10-17",
"Id": "PutObjectPolicy",
"Statement": [
{
"Sid": "RestrictSSECObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption-customer-algorithm": "false"
}
}
}
]
}
|
| AM1997 | Resource Control Policies |
This can be applied AWS Organization wide using Resource Control Policies. Similar to the bucket policy above, the Resource Control Policy below can mitigate against the use of encryption using SSE-C keys for all buckets within an AWS account (note - the customer should test this in a development environment before deploying this into production):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption-customer-algorithm": "false"
}
}
}
]
}
|