AWS DynamoDB Table Exported to S3
Adversaries may exfiltrate sensitive data by leveraging compromised AWS credentials to perform the DynamoDB ExportTableToPointInTime operation, moving database contents into an Amazon S3 bucket, which facilitates unauthorized collection and exfiltration of information.
Adversaries with access to an AWS environment may exploit legitimate cloud functionalities to collect and exfiltrate sensitive data. One such method involves using the ExportTableToPointInTime operation within Amazon DynamoDB, which allows an attacker to export the entire contents of a DynamoDB table into an Amazon S3 bucket. This technique is particularly concerning as it enables large-scale data collection from NoSQL databases, posing a significant risk of data breaches and intellectual property theft. The detection focuses on identifying this ExportTableToPointInTime action in AWS CloudTrail logs, particularly when observed for the first time from a specific user or role, indicating unusual or potentially unauthorized activity. This method can bypass traditional data loss prevention mechanisms that might not monitor cloud-native exfiltration vectors.
Attack Chain
- Adversary gains initial access to an AWS environment, often via compromised credentials, misconfigured IAM roles, or supply chain attacks.
- Adversary performs internal reconnaissance to identify Amazon DynamoDB tables containing sensitive business-critical or personal identifiable information (PII).
- Adversary establishes persistent access or elevates privileges to obtain the necessary
dynamodb:ExportTableToPointInTimepermissions. - Adversary invokes the
ExportTableToPointInTimeAPI call, specifying the target DynamoDB table and a controlled Amazon S3 bucket as the destination. - Amazon DynamoDB processes the request, streaming the table's data to the designated S3 bucket.
- Adversary accesses the S3 bucket, downloads the exported data, and transfers it to external storage, completing the exfiltration of sensitive information.
Impact
Successful exfiltration of DynamoDB tables can lead to severe consequences including large-scale data breaches, loss of proprietary information, and exposure of sensitive customer data. This can result in significant financial penalties due to regulatory non-compliance (e.g., GDPR, HIPAA), severe reputational damage, erosion of customer trust, and potential litigation. The compromise of critical application data stored in DynamoDB could also lead to business disruption and competitive disadvantage.
Recommendation
- Deploy the provided Sigma rule to your SIEM to detect the
ExportTableToPointInTimeaction. - Ensure comprehensive AWS CloudTrail logging is enabled for all management events across all regions, including data events for S3 and DynamoDB if necessary.
- Review AWS IAM policies and ensure the principle of least privilege is strictly enforced, limiting
dynamodb:ExportTableToPointInTimepermissions only to authorized users or roles that absolutely require it. - Investigate all alerts generated by the
AWS DynamoDB Table Exported to S3rule, focusing on theaws.cloudtrail.user_identity.arn,source.ip, andaws.cloudtrail.request_parametersfields to understand the context and legitimacy of the export. - Implement strong access controls and monitoring for Amazon S3 buckets, especially those that receive data from other AWS services.
Detection coverage 1
AWS DynamoDB Table Exported to S3
highDetects when an AWS DynamoDB table is exported to S3 using the ExportTableToPointInTime operation, which can indicate data collection or exfiltration.
Detection queries are available on the platform. Get full rules →