Skip to content
Threat Feed
high advisory

AWS DynamoDB Table Exported to S3

Adversaries may exfiltrate sensitive data by leveraging compromised AWS credentials to perform the DynamoDB ExportTableToPointInTime operation, moving database contents into an Amazon S3 bucket, which facilitates unauthorized collection and exfiltration of information.

Adversaries with access to an AWS environment may exploit legitimate cloud functionalities to collect and exfiltrate sensitive data. One such method involves using the ExportTableToPointInTime operation within Amazon DynamoDB, which allows an attacker to export the entire contents of a DynamoDB table into an Amazon S3 bucket. This technique is particularly concerning as it enables large-scale data collection from NoSQL databases, posing a significant risk of data breaches and intellectual property theft. The detection focuses on identifying this ExportTableToPointInTime action in AWS CloudTrail logs, particularly when observed for the first time from a specific user or role, indicating unusual or potentially unauthorized activity. This method can bypass traditional data loss prevention mechanisms that might not monitor cloud-native exfiltration vectors.

Attack Chain

  1. Adversary gains initial access to an AWS environment, often via compromised credentials, misconfigured IAM roles, or supply chain attacks.
  2. Adversary performs internal reconnaissance to identify Amazon DynamoDB tables containing sensitive business-critical or personal identifiable information (PII).
  3. Adversary establishes persistent access or elevates privileges to obtain the necessary dynamodb:ExportTableToPointInTime permissions.
  4. Adversary invokes the ExportTableToPointInTime API call, specifying the target DynamoDB table and a controlled Amazon S3 bucket as the destination.
  5. Amazon DynamoDB processes the request, streaming the table's data to the designated S3 bucket.
  6. Adversary accesses the S3 bucket, downloads the exported data, and transfers it to external storage, completing the exfiltration of sensitive information.

Impact

Successful exfiltration of DynamoDB tables can lead to severe consequences including large-scale data breaches, loss of proprietary information, and exposure of sensitive customer data. This can result in significant financial penalties due to regulatory non-compliance (e.g., GDPR, HIPAA), severe reputational damage, erosion of customer trust, and potential litigation. The compromise of critical application data stored in DynamoDB could also lead to business disruption and competitive disadvantage.

Recommendation

  • Deploy the provided Sigma rule to your SIEM to detect the ExportTableToPointInTime action.
  • Ensure comprehensive AWS CloudTrail logging is enabled for all management events across all regions, including data events for S3 and DynamoDB if necessary.
  • Review AWS IAM policies and ensure the principle of least privilege is strictly enforced, limiting dynamodb:ExportTableToPointInTime permissions only to authorized users or roles that absolutely require it.
  • Investigate all alerts generated by the AWS DynamoDB Table Exported to S3 rule, focusing on the aws.cloudtrail.user_identity.arn, source.ip, and aws.cloudtrail.request_parameters fields to understand the context and legitimacy of the export.
  • Implement strong access controls and monitoring for Amazon S3 buckets, especially those that receive data from other AWS services.

Detection coverage 1

AWS DynamoDB Table Exported to S3

high

Detects when an AWS DynamoDB table is exported to S3 using the ExportTableToPointInTime operation, which can indicate data collection or exfiltration.

sigma tactics: collection, exfiltration techniques: T1213, T1567, T1567.002 sources: cloud, aws, cloudtrail

Detection queries are available on the platform. Get full rules →