AWS S3 Bucket Replicated to External Account for Data Exfiltration
Adversaries with write access to an AWS S3 bucket can abuse replication rules via the PutBucketReplication API call to silently exfiltrate large volumes of data to attacker-controlled accounts, bypassing object-level access controls.
Adversaries are known to exploit misconfigurations and compromised credentials within AWS environments to establish covert data exfiltration channels. One such technique involves the abuse of Amazon S3 cross-account replication. An attacker who has gained write access to an S3 bucket can configure a replication rule, using the PutBucketReplication API, to automatically copy all new or updated objects from the compromised bucket to another S3 bucket located in a different, external AWS account, which is typically under the attacker's control. This method allows for silent and continuous data exfiltration, effectively bypassing direct object-level access controls that might otherwise prevent data downloads. This tactic is particularly dangerous because once replication is configured, data flows automatically, making detection challenging without specific monitoring for configuration changes. The technique facilitates the theft of sensitive data, intellectual property, or critical logs, posing a significant risk to organizational security and compliance.
Attack Chain
- Initial Access & Reconnaissance: An attacker gains initial access to an AWS environment, often through compromised IAM credentials (e.g., access keys, console login) or exploitation of a vulnerable application. They then perform reconnaissance, using API calls like
ListBucketsandGetBucketPolicy, to identify S3 buckets containing valuable data and assess their access permissions. - Privilege Escalation/Lateral Movement: The attacker leverages their initial foothold to escalate privileges or move laterally within the AWS account to obtain IAM permissions (e.g.,
s3:PutBucketReplication,iam:PassRole) sufficient for modifying S3 bucket replication configurations. This might involve exploiting misconfigured trust policies or assuming a compromised administrative role. - Replication Role Creation/Modification: The attacker creates a new IAM role or modifies an existing one, granting it permissions to perform S3 replication (e.g.,
s3:GetObject,s3:ReplicateObject,s3:ReplicateDelete) and establishing a trust policy that allows a principal under the attacker's control to assume this role. - Configure Cross-Account Replication: The attacker executes the
PutBucketReplicationAPI call against the target S3 bucket. In this request, they specify the ARN of the IAM role created/modified in the previous step and, crucially, provide their own AWS account ID as the destination for the replicated data. - Silent Data Replication: Once the
PutBucketReplicationoperation is successful, any new objects uploaded to, or existing objects modified within, the source S3 bucket are automatically and silently copied to the attacker's designated S3 bucket in their external AWS account. - Data Collection & Exfiltration: The attacker accesses the exfiltrated data from their own AWS account, effectively bypassing the need for direct read or download access to the victim's S3 bucket. This continuous data flow provides the attacker with a steady stream of sensitive information.
Impact
Successful exploitation of S3 cross-account replication leads to the unauthorized, silent, and potentially large-scale exfiltration of sensitive data to attacker-controlled infrastructure. This can include confidential business documents, personally identifiable information (PII), intellectual property, and system logs, leading to severe data breaches, regulatory fines, reputational damage, and competitive disadvantages. The stealthy nature of this technique means that data can be continuously siphoned off over extended periods before detection, making incident response more challenging and increasing the volume of compromised information. Organizations across all sectors handling sensitive data in AWS S3 buckets are at risk, with specific impact dependent on the nature and volume of the exfiltrated data.
Recommendation
- Deploy the Sigma rule provided in this brief to your SIEM and tune it for your environment.
- Review AWS CloudTrail logs for
PutBucketReplicationevents that indicate a destinationAccount=ID outside your approved AWS Organization. - Implement AWS Service Control Policies (SCPs) to restrict cross-account S3 replication for all but explicitly approved destination accounts within your AWS Organization.
- Regularly audit IAM roles with
s3:PutBucketReplicationandiam:PassRolepermissions to ensure they adhere to the principle of least privilege. - Investigate
aws.cloudtrail.user_identity.arn,source.ip, anduser_agent.originalfields for anyPutBucketReplicationevent to identify anomalous activity. - Rotate credentials for any IAM user or role found to be involved in unauthorized replication activity.
Detection coverage 1
AWS S3 Cross-Account Replication for Exfiltration
highDetects the creation or modification of an S3 bucket replication configuration (PutBucketReplication) that targets a bucket in a different AWS account, a common technique for data exfiltration.
Detection queries are available on the platform. Get full rules →