AWS S3 Bucket Replicated to Another Account
Detection of S3 bucket replication configurations sending data to a different AWS account, potentially indicating unauthorized data exfiltration by adversaries abusing replication rules.
The rule identifies the creation or modification of an S3 bucket replication configuration that sends data to a bucket in a different AWS account, a technique adversaries with write access to an S3 bucket may abuse to silently exfiltrate data. Cross-account replication, while legitimate for backup and disaster recovery, can be exploited to covertly exfiltrate large data volumes to attacker-controlled accounts. The rule detects PutBucketReplication events where the configured destination account differs from the source bucket's account, which may indicate unauthorized cross-account data movement.
Attack Chain
- Attacker gains initial access to an AWS account, possibly through compromised credentials or an insecure IAM role.
- The attacker obtains write access to an S3 bucket within the compromised account.
- The attacker uses the
PutBucketReplicationAPI call to configure replication from the compromised S3 bucket to a bucket in a different, attacker-controlled AWS account. Theaws.cloudtrail.request_parameterswill contain the destinationAccountID. - The attacker configures an IAM role with necessary permissions for S3 replication. The
aws.cloudtrail.request_parameterslogs this viaRole=value. - Data is written to the source S3 bucket, triggering the replication process.
- The S3 service automatically copies new objects and updates to the destination bucket in the attacker-controlled account.
- The attacker accesses the replicated data from the destination bucket, completing the exfiltration.
Impact
Successful exploitation results in the unauthorized exfiltration of data from the compromised AWS account to an attacker-controlled AWS account. The impact depends on the sensitivity of the data stored in the S3 bucket. This could lead to data breaches, compliance violations, and reputational damage. The number of affected buckets and accounts can vary depending on the scope of the initial compromise and the attacker's objectives.
Recommendation
- Deploy the Sigma rule "AWS S3 Bucket Replicated to Another Account" to your SIEM and tune for your environment to detect suspicious cross-account replication activity.
- Inspect
aws.cloudtrail.user_identity.arnandaws.cloudtrail.user_identity.access_key_idin AWS CloudTrail logs to identify the actor initiating the replication changes. - Enforce AWS SCPs that restrict cross-account replication except for explicitly approved destinations as a preventive measure.
Detection coverage 2
AWS S3 Bucket Replicated to Another Account
mediumDetects creation or modification of S3 bucket replication configuration to an external AWS account.
AWS S3 Replication Role Creation
lowDetects the creation of an IAM role that is used for S3 replication.
Detection queries are available on the platform. Get full rules →