Detection: CloudTrail Trail KMS Key Updated
Overview
Detect when an AWS CloudTrail trail was updated with a new AWS Key Management Service (KMS) key. Changes to the KMS key may disrupt log encryption or decryption, potentially resulting in data loss or logging interruptions. Monitoring these updates ensures encryption integrity and protects against unauthorized modifications.
References:
Usage
Run the detection in your terminal:
powerpipe detection run aws_cloudtrail_log_detections.detection.cloudtrail_trail_kms_key_updatedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run aws_cloudtrail_log_detections.detection.cloudtrail_trail_kms_key_updated --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,string_split(event_source, '.')[1] || ':' || event_name as operation,request_parameters ->> 'name' as resource,user_identity.arn as actor,tp_source_ip as source_ip,tp_index as account_id,aws_region as region,tp_id as source_id,*
from aws_cloudtrail_logwhere event_source = 'cloudtrail.amazonaws.com' and event_name = 'UpdateTrail' and (request_parameters ->> 'KmsKeyId') is not null and (response_elements ->> 'trailARN') is not null -- here we exclude console-based events by requiring 'session_credential_from_console' to be null, because console requests show all fields while CLI only shows updated fields. and session_credential_from_console is null and error_code is null
order by event_time desc;