AWS S3 Credential File Retrieved from Bucket

This detection rule identifies instances where sensitive credential files are retrieved from AWS S3 buckets. The targeted files include AWS credentials (".aws/credentials", “.aws/config”), SSH private keys (“id_rsa”, “id_ed25519”, “id_ecdsa”, “id_dsa”), environment files (".env"), PEM and PuTTY key files, and other private key patterns. The rule aims to detect unauthorized access to these files, which could lead to credential compromise. It excludes “AWSService” identity types to avoid false positives from legitimate AWS-internal data movement such as S3 replication and Glacier restore. This detection is crucial because compromised credentials can lead to lateral movement, data exfiltration, and other malicious activities within the AWS environment.

Attack Chain

1. Attacker gains initial access to an AWS account, potentially through compromised credentials or a misconfigured IAM role.
2. Attacker enumerates available S3 buckets within the AWS environment.
3. Attacker identifies an S3 bucket that may contain credential files or sensitive information.
4. Attacker crafts an S3 GetObject request targeting specific credential file names or patterns (e.g., .aws/credentials, id_rsa).
5. The S3 GetObject request is successfully executed, and the contents of the credential file are retrieved.
6. The retrieved credentials or keys are used to gain unauthorized access to other AWS resources or external systems.
7. Attacker performs lateral movement within the AWS environment, escalating privileges and accessing sensitive data.

Impact

Successful retrieval of credential files from S3 buckets can lead to significant security breaches. Compromised AWS credentials can enable attackers to access sensitive data, modify infrastructure configurations, and potentially disrupt services. The impact could range from data leaks and financial losses to complete infrastructure takeover, depending on the permissions associated with the compromised credentials.

Recommendation

• Enable S3 data event logging in CloudTrail to capture GetObject events for S3 buckets containing sensitive data as described in the rule’s setup section.
• Deploy the Sigma rule AWS S3 Credential File Retrieved from Bucket to your SIEM to detect unauthorized access to credential files in S3 buckets.
• Investigate any alerts generated by the Sigma rule by examining aws.cloudtrail.user_identity.arn and source.ip to determine the caller’s identity and origin, as suggested in the rule’s note section.
• Rotate any credentials stored in the accessed object if the retrieval is determined to be unauthorized, as mentioned in the rule’s note section.