AWS SSM command output delivered to an external bucket
Description
AlphaSOC detected an AWS Systems Manager command configured to send its output to an S3 bucket in a different AWS account. This technique can be used by attackers to exfiltrate command output containing sensitive data such as credentials, configuration files, or reconnaissance information to attacker-controlled storage.
Impact
Directing SSM command output to an external bucket enables data exfiltration. Attackers can collect sensitive data from managed instances including credentials, environment variables, and system information, then retrieve it from their own S3 bucket.
Severity
| Severity | Condition |
|---|---|
Medium | SSM command output directed to an external S3 bucket |
Investigation and Remediation
Identify the external bucket. Review the SSM command that was executed and its output contents. Investigate the identity that ran the command and verify authorization. Block the external bucket in S3 policies. Assess what data may have been exfiltrated and investigate affected instances for compromise.
Known False Positives
- Cross-account SSM operations in multi-account AWS organizations