New Customer Master Key Alias

This alert occurs when Lacework detects the creation of a new AWS customer master key alias.

Why this Alert is Important

When you create an alias, AWS KMS generates an alias ARN based on the alias name that you define. You can view the key and alias identifiers in the AWS Management Console and in the AWS KMS API. This denotes that an alias was created for a CMK. If an attacker or unauthorized person has access to create a CMK alias, then it is possible that they have the ability to decrypt the data or even tamper with it.

Investigation

Search for logs that indicate when a CMK alias was created and who initiated the action. Search for any suspicious activity happening around that time frame to find any indicators of compromise.

Resolution

Revert any actions performed by an unauthorized person.

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html

Why this Alert is Important​

Investigation​

Resolution​

Related Information​

Why this Alert is Important

Investigation

Resolution

Related Information