Skip to main content

AWS DataSync task initiated to an unknown external account

ID:aws_datasync_task_unknown
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0010:T1567

Description

AlphaSOC detected the initiation of an AWS DataSync task. AWS DataSync is a data transfer service that simplifies, automates, and accelerates moving data between on-premises storage systems and AWS storage services. Tasks initiated by AWS services are exempt from the detection to avoid false positives.

Impact

Threat actors may exploit DataSync for data exfiltration, leveraging its high-speed transfer capabilities to quickly move large volumes of sensitive data out of the organization's control to external storage, potentially resulting in data breaches, intellectual property theft, or compliance violations.

Severity

SeverityCondition
Informational
DataSync task initiated
Low
DataSync task initiated unexpectedly
Medium
DataSync task initiated with a destination ARN associated with an unusual AWS account

Investigation and Remediation

Investigate the legitimacy of the DataSync task. Review the task details, including source and destination locations, data being transferred, and the identity of the initiator. If unauthorized, immediately halt the task, revoke associated credentials, and analyze logs to determine the extent of potential data loss.