AWS S3 bucket replication to an unknown external account
Description
AlphaSOC detected the use of the PutBucketReplication
action, which configures
AWS S3 bucket replication to an unknown external AWS account. This action
creates or replaces an existing replication configuration, enabling automatic
copying of bucket contents to another bucket in a different AWS account. Threat
actors may exploit this to exfiltrate sensitive data to accounts under their
control.
Impact
Threat actors may exfiltrate data by creating backups of AWS S3 buckets and transferring them to AWS accounts they control. This could include sensitive information, intellectual property, backups, or customer data being copied to an adversary-controlled environment.
Severity
Severity | Condition |
---|---|
Medium | AWS S3 bucket replication to an unknown external account |
Investigation and Remediation
Review AWS CloudTrail logs to investigate the AWS S3 bucket replication configuration. Verify whether the action was authorized and performed by a legitimate user. If unauthorized, disable the replication, revoke any associated AWS IAM permissions, reset the affected user's credentials, and assess the extent of potential damage.
Known False Positives
- Legitimate data backup or disaster recovery configurations to approved external accounts
- Authorized data sharing with business partners or clients using AWS S3 bucket replication