AWS S3 job with unexpected target bucket
Description
AlphaSOC detected the creation of an AWS S3 Batch Operations job configured to copy objects, targeting a bucket outside of expected destinations. S3 Batch Operations allow processing of large numbers of S3 objects in bulk. An attacker with sufficient S3 permissions may create a batch copy job to efficiently exfiltrate large volumes of data to an attacker-controlled bucket, potentially in a different AWS account.
Impact
S3 batch copy jobs enable high-volume, automated data exfiltration that can move significant amounts of data quickly and with limited noise compared to individual object downloads. An attacker who creates such a job targeting an external or unexpected bucket may be exfiltrating sensitive data such as customer records, backups, application data, or proprietary information. Cross-account copies may render the data permanently accessible to the attacker even after credentials are rotated.
Severity
| Severity | Condition |
|---|---|
Medium | S3 batch copy job targeting an unexpected destination |
Investigation and Remediation
Review the S3 Batch Operations job manifest and configuration to identify the source bucket, destination bucket, and the IAM principal that created the job. Determine whether the destination account is known and authorized. Cancel the job immediately if unauthorized. Review S3 access logs and CloudTrail for additional exfiltration activity. If cross-account exfiltration occurred, assess what data was copied and initiate incident response procedures. Restrict S3 batch operations permissions to authorized principals.