{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/bucket-replication/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["S3"],"_cs_severities":["high"],"_cs_tags":["aws","s3","exfiltration","bucket-replication"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis analytic detects the creation of S3 bucket replication rules, which can be abused to exfiltrate data to an attacker-controlled AWS account. The attacker leverages the \u003ccode\u003ePutBucketReplication\u003c/code\u003e API call within AWS CloudTrail logs to set up replication from a target S3 bucket to a destination bucket, which may be outside of the organization's control. This technique can bypass traditional perimeter defenses since the data transfer occurs within the AWS infrastructure. The activity is significant because it can indicate unauthorized data replication, potentially leading to data breaches and compliance violations. Defenders should monitor these events closely, especially when the destination bucket is outside the organization's AWS account or in an unexpected region.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to an AWS account with sufficient privileges to modify S3 bucket replication settings.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target S3 bucket containing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker creates an S3 bucket in an external AWS account under their control.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003ePutBucketReplication\u003c/code\u003e API call to create a replication rule for the target bucket. The rule specifies the attacker-controlled bucket as the destination.\u003c/li\u003e\n\u003cli\u003eAWS begins replicating objects from the target bucket to the attacker-controlled bucket.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors the destination bucket to ensure successful data replication.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the replicated data from their bucket.\u003c/li\u003e\n\u003cli\u003eThe attacker deletes the replication rule to cover their tracks, although CloudTrail logs will still record the event.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to exfiltrate potentially terabytes of data from S3 buckets without triggering typical network-based data exfiltration alerts. This could lead to significant data breaches, affecting customer PII, financial records, or intellectual property. The number of affected users/records depends on the contents of the S3 bucket. This can lead to compliance violations such as GDPR, HIPAA, or PCI DSS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging for all S3 buckets and monitor for \u003ccode\u003ePutBucketReplication\u003c/code\u003e events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AWS S3 Bucket Replication Creation\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003ePutBucketReplication\u003c/code\u003e events where the destination bucket is outside of your organization's AWS accounts.\u003c/li\u003e\n\u003cli\u003eReview S3 bucket policies and IAM roles to ensure least privilege and restrict access to S3 replication settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-bucket-replication-exfiltration/","summary":"An attacker enables S3 bucket replication to exfiltrate data to an external AWS account by creating a bucket replication rule.","title":"AWS S3 Bucket Replication for Data Exfiltration","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-bucket-replication-exfiltration/"}],"language":"en","title":"CraftedSignal Threat Feed - Bucket-Replication","version":"https://jsonfeed.org/version/1.1"}