Skip to main content

AWS S3 bucket replication to an unknown external account

ID:aws_s3_bucket_replication_unknown
Data type:AWS CloudTrail
Severity:
Medium
MITRE ATT&CK:TA0010:T1567.002

Description

AlphaSOC detected the use of the PutBucketReplication action, which configures AWS S3 bucket replication to an unknown external AWS account. This action creates or replaces an existing replication configuration, enabling automatic copying of bucket contents to another bucket in a different AWS account. Threat actors may exploit this to exfiltrate sensitive data to accounts under their control.

Impact

Threat actors may exfiltrate data by creating backups of AWS S3 buckets and transferring them to AWS accounts they control. This could include sensitive information, intellectual property, backups, or customer data being copied to an adversary-controlled environment.

Severity

SeverityCondition
Medium
AWS S3 bucket replication to an unknown external account

Investigation and Remediation

Review AWS CloudTrail logs to investigate the AWS S3 bucket replication configuration. Verify whether the action was authorized and performed by a legitimate user. If unauthorized, disable the replication, revoke any associated AWS IAM permissions, reset the affected user's credentials, and assess the extent of potential damage.

Known False Positives

  • Legitimate data backup or disaster recovery configurations to approved external accounts
  • Authorized data sharing with business partners or clients using AWS S3 bucket replication