<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Bucket_policy - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/bucket_policy/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 02 May 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/bucket_policy/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS S3 Bucket Policy Modified to Share with External Account</title><link>https://feed.craftedsignal.io/briefs/2024-05-aws-s3-bucket-policy-exfiltration/</link><pubDate>Thu, 02 May 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-05-aws-s3-bucket-policy-exfiltration/</guid><description>An attacker modifies an Amazon S3 bucket policy to grant access to an external AWS account, potentially leading to unauthorized data access and exfiltration.</description><content:encoded><![CDATA[<p>This alert focuses on the modification of Amazon S3 bucket policies to include external AWS accounts, a tactic that can be used for data exfiltration or establishing persistent cross-account access. The detection identifies <code>PutBucketPolicy</code> events where the S3 bucket's account ID differs from the account IDs referenced in the policy's <code>Effect=Allow</code> statements. This scenario could indicate a compromised user attaching a policy that grants access from an external AWS account controlled by the attacker. This allows continued access even if the initial compromised credentials are rotated. The rule is designed to trigger when the policy explicitly shares access with external accounts. It specifically excludes alerts where the account ID is part of the bucket’s name or resource ARN, as these are often legitimate naming conventions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker compromises AWS credentials through methods like phishing, credential stuffing, or exploiting vulnerable EC2 instances.</li>
<li>The attacker uses the compromised credentials to authenticate to the AWS Management Console or via the AWS CLI.</li>
<li>The attacker identifies an S3 bucket containing sensitive data as a target for exfiltration or persistence.</li>
<li>The attacker crafts a malicious bucket policy that grants <code>s3:GetObject</code>, <code>s3:ListBucket</code>, and potentially <code>s3:PutObject</code> permissions to an external AWS account they control.</li>
<li>The attacker uses the <code>PutBucketPolicy</code> API call to apply the modified policy to the target S3 bucket. The cloudtrail event logs record this event with the request parameters and resources accessed.</li>
<li>The external AWS account, now authorized by the modified bucket policy, accesses and exfiltrates the data using <code>GetObject</code> or other API calls.</li>
<li>The attacker may attempt to conceal their activity by deleting CloudTrail logs or modifying other security configurations.</li>
<li>The attacker maintains persistent access to the S3 bucket for continued data exfiltration or other malicious activities using the external AWS account.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can result in the exfiltration of sensitive data stored in the S3 bucket, leading to data breaches, financial loss, reputational damage, and regulatory fines. The number of victims would depend on the contents of the bucket and the data sensitivity. Sectors commonly targeted include finance, healthcare, and technology, where valuable or regulated data is stored in cloud environments. If successful, this allows attackers to maintain long-term unauthorized access, even after initial compromised credentials are changed.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS S3 Bucket Policy Added to Share with External Account&quot; to your SIEM to detect malicious bucket policy modifications (rule.title).</li>
<li>Review <code>aws.cloudtrail.user_identity.arn</code> and <code>aws.cloudtrail.user_identity.access_key_id</code> from your CloudTrail logs to identify the actor making the policy change (rule.investigation_fields).</li>
<li>Monitor CloudTrail logs for <code>GetObject</code>, <code>ListBucket</code>, or <code>PutObject</code> events originating from external AWS account IDs found in the modified bucket policies (rule.investigation_fields).</li>
<li>Restrict <code>s3:PutBucketPolicy</code> permissions to a limited set of administrative roles using the principle of least privilege as part of your IAM hardening strategy.</li>
<li>Enable AWS Config rule <code>s3-bucket-policy-grantee-check</code> to monitor for unauthorized policy additions and trigger alerts.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>s3</category><category>bucket_policy</category><category>exfiltration</category></item></channel></rss>