AWS S3 Bucket Policy Modified to Share with External Account
An attacker modifies an Amazon S3 bucket policy to grant access to an external AWS account, potentially leading to unauthorized data access and exfiltration.
This alert focuses on the modification of Amazon S3 bucket policies to include external AWS accounts, a tactic that can be used for data exfiltration or establishing persistent cross-account access. The detection identifies PutBucketPolicy events where the S3 bucket's account ID differs from the account IDs referenced in the policy's Effect=Allow statements. This scenario could indicate a compromised user attaching a policy that grants access from an external AWS account controlled by the attacker. This allows continued access even if the initial compromised credentials are rotated. The rule is designed to trigger when the policy explicitly shares access with external accounts. It specifically excludes alerts where the account ID is part of the bucket’s name or resource ARN, as these are often legitimate naming conventions.
Attack Chain
- An attacker compromises AWS credentials through methods like phishing, credential stuffing, or exploiting vulnerable EC2 instances.
- The attacker uses the compromised credentials to authenticate to the AWS Management Console or via the AWS CLI.
- The attacker identifies an S3 bucket containing sensitive data as a target for exfiltration or persistence.
- The attacker crafts a malicious bucket policy that grants
s3:GetObject,s3:ListBucket, and potentiallys3:PutObjectpermissions to an external AWS account they control. - The attacker uses the
PutBucketPolicyAPI call to apply the modified policy to the target S3 bucket. The cloudtrail event logs record this event with the request parameters and resources accessed. - The external AWS account, now authorized by the modified bucket policy, accesses and exfiltrates the data using
GetObjector other API calls. - The attacker may attempt to conceal their activity by deleting CloudTrail logs or modifying other security configurations.
- The attacker maintains persistent access to the S3 bucket for continued data exfiltration or other malicious activities using the external AWS account.
Impact
A successful attack can result in the exfiltration of sensitive data stored in the S3 bucket, leading to data breaches, financial loss, reputational damage, and regulatory fines. The number of victims would depend on the contents of the bucket and the data sensitivity. Sectors commonly targeted include finance, healthcare, and technology, where valuable or regulated data is stored in cloud environments. If successful, this allows attackers to maintain long-term unauthorized access, even after initial compromised credentials are changed.
Recommendation
- Deploy the Sigma rule "AWS S3 Bucket Policy Added to Share with External Account" to your SIEM to detect malicious bucket policy modifications (rule.title).
- Review
aws.cloudtrail.user_identity.arnandaws.cloudtrail.user_identity.access_key_idfrom your CloudTrail logs to identify the actor making the policy change (rule.investigation_fields). - Monitor CloudTrail logs for
GetObject,ListBucket, orPutObjectevents originating from external AWS account IDs found in the modified bucket policies (rule.investigation_fields). - Restrict
s3:PutBucketPolicypermissions to a limited set of administrative roles using the principle of least privilege as part of your IAM hardening strategy. - Enable AWS Config rule
s3-bucket-policy-grantee-checkto monitor for unauthorized policy additions and trigger alerts.
Detection coverage 2
AWS S3 Bucket Policy Added to Share with External Account
mediumDetects when an Amazon S3 bucket policy is modified to share access with an external AWS account, potentially for data exfiltration.
AWS S3 GetObject from External Account
mediumDetects S3 GetObject requests originating from an external AWS account, after a bucket policy has been modified.
Detection queries are available on the platform. Get full rules →