New Customer Master Key Alias
This alert occurs when Lacework detects the creation of a new AWS customer master key alias.
Why this Alert is Important
When you create an alias, AWS KMS generates an alias ARN based on the alias name that you define. You can view the key and alias identifiers in the AWS Management Console and in the AWS KMS API. This denotes that an alias was created for a CMK. If an attacker or unauthorized person has access to create a CMK alias, then it is possible that they have the ability to decrypt the data or even tamper with it.
Investigation
Search for logs that indicate when a CMK alias was created and who initiated the action. Search for any suspicious activity happening around that time frame to find any indicators of compromise.
Resolution
Revert any actions performed by an unauthorized person.
Related Information
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html