{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/bucket_policy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["S3"],"_cs_severities":["medium"],"_cs_tags":["aws","s3","bucket_policy","exfiltration"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis alert focuses on the modification of Amazon S3 bucket policies to include external AWS accounts, a tactic that can be used for data exfiltration or establishing persistent cross-account access. The detection identifies \u003ccode\u003ePutBucketPolicy\u003c/code\u003e events where the S3 bucket's account ID differs from the account IDs referenced in the policy's \u003ccode\u003eEffect=Allow\u003c/code\u003e statements. This scenario could indicate a compromised user attaching a policy that grants access from an external AWS account controlled by the attacker. This allows continued access even if the initial compromised credentials are rotated. The rule is designed to trigger when the policy explicitly shares access with external accounts. It specifically excludes alerts where the account ID is part of the bucket’s name or resource ARN, as these are often legitimate naming conventions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises AWS credentials through methods like phishing, credential stuffing, or exploiting vulnerable EC2 instances.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to authenticate to the AWS Management Console or via the AWS CLI.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an S3 bucket containing sensitive data as a target for exfiltration or persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious bucket policy that grants \u003ccode\u003es3:GetObject\u003c/code\u003e, \u003ccode\u003es3:ListBucket\u003c/code\u003e, and potentially \u003ccode\u003es3:PutObject\u003c/code\u003e permissions to an external AWS account they control.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003ePutBucketPolicy\u003c/code\u003e API call to apply the modified policy to the target S3 bucket. The cloudtrail event logs record this event with the request parameters and resources accessed.\u003c/li\u003e\n\u003cli\u003eThe external AWS account, now authorized by the modified bucket policy, accesses and exfiltrates the data using \u003ccode\u003eGetObject\u003c/code\u003e or other API calls.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to conceal their activity by deleting CloudTrail logs or modifying other security configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the S3 bucket for continued data exfiltration or other malicious activities using the external AWS account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can result in the exfiltration of sensitive data stored in the S3 bucket, leading to data breaches, financial loss, reputational damage, and regulatory fines. The number of victims would depend on the contents of the bucket and the data sensitivity. Sectors commonly targeted include finance, healthcare, and technology, where valuable or regulated data is stored in cloud environments. If successful, this allows attackers to maintain long-term unauthorized access, even after initial compromised credentials are changed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS S3 Bucket Policy Added to Share with External Account\u0026quot; to your SIEM to detect malicious bucket policy modifications (rule.title).\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.user_identity.access_key_id\u003c/code\u003e from your CloudTrail logs to identify the actor making the policy change (rule.investigation_fields).\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for \u003ccode\u003eGetObject\u003c/code\u003e, \u003ccode\u003eListBucket\u003c/code\u003e, or \u003ccode\u003ePutObject\u003c/code\u003e events originating from external AWS account IDs found in the modified bucket policies (rule.investigation_fields).\u003c/li\u003e\n\u003cli\u003eRestrict \u003ccode\u003es3:PutBucketPolicy\u003c/code\u003e permissions to a limited set of administrative roles using the principle of least privilege as part of your IAM hardening strategy.\u003c/li\u003e\n\u003cli\u003eEnable AWS Config rule \u003ccode\u003es3-bucket-policy-grantee-check\u003c/code\u003e to monitor for unauthorized policy additions and trigger alerts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T12:00:00Z","date_published":"2024-05-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-05-aws-s3-bucket-policy-exfiltration/","summary":"An attacker modifies an Amazon S3 bucket policy to grant access to an external AWS account, potentially leading to unauthorized data access and exfiltration.","title":"AWS S3 Bucket Policy Modified to Share with External Account","url":"https://feed.craftedsignal.io/briefs/2024-05-aws-s3-bucket-policy-exfiltration/"}],"language":"en","title":"CraftedSignal Threat Feed - Bucket_policy","version":"https://jsonfeed.org/version/1.1"}