AWS Backup vault modified to allow public access
Description
AlphaSOC detected that an AWS Backup vault's access policy was modified using
the PutBackupVaultAccessPolicy API call to allow public access. This
configuration change enables unauthorized access to backup data stored in the
vault. Threat actors may exploit overly permissive backup vault policies to
access sensitive data, intellectual property, or credentials stored within
backups without proper authentication.
Impact
A publicly accessible backup vault access policy exposes stored backup data to unauthorized access. This could lead to data breaches, compliance violations, and exposure of sensitive information including databases, configuration files, and application data. Adversaries could download backups containing historical data and use recovered credentials for lateral movement or privilege escalation within the AWS environment.
Severity
| Severity | Condition |
|---|---|
Medium | AWS Backup vault modified to allow public access |
Investigation and Remediation
Review the backup vault's access policy to identify any overly permissive configurations. Examine AWS CloudTrail logs to determine who modified the policy and verify whether this action was authorized. If unauthorized, reset any potenially compromised credentials and revert the access policy to a more restrictive setting that limits access to only trusted users and roles. Ensure that backup vaults are configured with least privilege access policies to prevent unauthorized access.