AWS Cloud Trail AWS Overly Permessive KMS
Query
AWSCloudTrail
| where EventName in ("CreateKey", "PutKeyPolicy")
and isempty(ErrorCode)
and isempty(ErrorMessage)
| mv-expand Statement = todynamic(tostring(todynamic(RequestParameters)["policy"]))["Statement"]
| extend
Action = tostring(Statement["Action"]),
Effect = tostring(Statement["Effect"]),
Principal = tostring(Statement["Principal"])
| where Effect == "Allow" and Principal has "*"// and Action has_any ("kms:Encrypt", "kms:*")
| summarize take_any(*) by AwsEventId
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
TargetRole,
TargetRoleSessionName,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
AWSRegion,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
Statement = todynamic(tostring(todynamic(RequestParameters)["policy"]))["Statement"],
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventIdExplanation
This query is analyzing AWS CloudTrail logs to identify specific security-related events involving AWS Key Management Service (KMS). Here's a simplified breakdown of what the query does:
-
Filter Events: It looks for events where a key is created (
CreateKey) or a key policy is set (PutKeyPolicy), ensuring there are no errors (isempty(ErrorCode)andisempty(ErrorMessage)). -
Expand Policy Statements: For each event, it extracts and expands the policy statements from the
RequestParameters. -
Extract Key Details: It pulls out specific details from the policy statement, such as the actions allowed (
Action), the effect of the policy (Effect), and the principal (who or what is allowed access). -
Identify Broad Permissions: It filters for policies that allow actions (
Effect == "Allow") and have a principal set to wildcard (Principal has "*") which indicates broad permissions. -
Summarize Events: It summarizes the data to take any unique event by
AwsEventId. -
Invoke Additional Role Information: It calls a function
AWSIdentityRole()to get more information about the roles involved in these events. -
Select and Display Fields: Finally, it projects a list of fields to display, including details about the event, user identity, account information, and more.
In essence, this query is used to identify and review AWS KMS-related events that might pose a security risk due to overly permissive policies.
Details

Jose Sebastián Canós
Released: March 11, 2024
Tables
Keywords
Operators