AWS S3 bucket policy allows actions by external accounts
Description
AlphaSOC detected modification of an AWS S3 bucket policy to grant permissions to an external AWS account. S3 bucket policies control access to buckets and their contents, and adding external account principals allows users from other AWS accounts to perform actions on the bucket.
While cross-account access is a legitimate AWS feature for sharing resources between organizations or business units, granting access to unknown external accounts can indicate unauthorized data sharing, preparation for data exfiltration, or an attempt to establish persistence by providing alternative access paths. Threat actors may modify bucket policies to grant their own AWS accounts access to sensitive data, bypassing normal IAM controls and enabling data theft or manipulation from outside the target organization's AWS environment.
Impact
Granting S3 permissions to unknown external AWS accounts creates significant
security risks by allowing unauthorized entities to access, modify, or delete
bucket contents. Threat actors can exploit this to exfiltrate sensitive data,
inject malicious content, or establish persistent access to organizational
resources. The external account access bypasses normal IAM role assumptions and
direct credential usage, making it harder to detect and trace malicious
activity. Organizations may face data breaches, compliance violations, and loss
of data integrity. Since bucket policies can grant broad permissions including
s3:GetObject, s3:PutObject, or s3:*, adversaries can perform a wide range
of operations including reading confidential files, uploading ransomware notes,
or deleting critical backups.
Severity
| Severity | Condition |
|---|---|
Low | AWS S3 bucket policy allows actions by external accounts |
Investigation and Remediation
Review AWS CloudTrail logs to identify who modified the S3 bucket policy,
including the IAM principal, source IP address, and timestamp of the
PutBucketPolicy action. Examine the bucket policy document to determine which
external AWS account ID was granted access and what specific S3 permissions were
allowed. Verify whether the external account belongs to a known partner
organization, vendor, or subsidiary that legitimately requires access to the
bucket. Check if the policy modification was authorized through proper change
management procedures. If the external account access is unauthorized,
immediately remove it by updating the bucket policy using
aws s3api put-bucket-policy or delete the policy entirely if cross-account
access is not needed.
Investigate the bucket's access logs to determine if the external account has
already accessed any objects and what operations were performed. Revoke any
compromised credentials used to modify the policy and rotate relevant access
keys. Review and strengthen IAM policies to restrict s3:PutBucketPolicy
permissions to only authorized administrators using least-privilege principles.
Consider implementing AWS Config rules or Service Control Policies (SCPs) to
monitor and prevent unauthorized bucket policy modifications. Enable S3 server
access logging and CloudTrail S3 data events for comprehensive audit trails of
all bucket access and modifications.
Known False Positives
- Authorized cross-account access for legitimate business partnerships or multi-account AWS Organizations
- Service-to-service integrations requiring cross-account S3 access
- Data sharing with vendors or contractors under approved agreements
- Multi-account architectures where centralized logging or backup accounts need access