Suspicious objects encryption in an AWS bucket

Cortex XDR Analytics Alert Reference by Alert name

Cortex XDR
Last date published
Analytics Alert Reference
Alert name


Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires:
    • AWS Audit Log

Detection Modules


ATT&CK Tactic

Impact (TA0040)

ATT&CK Technique

Data Encrypted for Impact (T1486)




An AWS KMS key from a non-organization owned account was used to encrypt multiple objects in the bucket for the first time.
This may indicate an attacker's attempt to perform a ransomware attack against the organization's cloud environment.

Attacker's Goals

  • Gain monetary compensation in exchange for decryption or the decryption key.
  • Permanently deny access to important storage objects.

Investigative actions

  • Check if the external KMS service is a legit encryption service.
  • Check if the identity performed enumeration activity to detect insecure s3 buckets, which are configured without the versioning and MFA Delete mechanisms.
  • Detect additional buckets that were encrypted using the same external KMS service.
  • Disable the identity from which the external service was configured.
  • Enable versioning on every critical bucket.
  • Enable MFA Delete on every critical bucket.