Skip to content

[Rule Tunings] AWS S3 Bucket Replicated to Another Account | AWS S3 Bucket Policy Added to Share with External Account #5405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
imays11 wants to merge 1 commit into
base: main
Choose a base branch
from
+116 −28
Open

[Rule Tunings] AWS S3 Bucket Replicated to Another Account | AWS S3 Bucket Policy Added to Share with External Account #5405

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2024/04/17"
integration = ["aws"]
maturity = "production"
updated_date = "2025/10/30"
updated_date = "2025/12/04"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -136,6 +136,7 @@ query = '''
info where event.dataset == "aws.cloudtrail"
and event.provider == "s3.amazonaws.com"
and event.action == "PutBucketPolicy"
and event.outcome == "success"
and stringContains(aws.cloudtrail.request_parameters, "Effect=Allow")
and (
stringContains(aws.cloudtrail.request_parameters, "AWS=") or
Expand Down
141 changes: 114 additions & 27 deletions rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,56 +2,122 @@
creation_date = "2024/07/12"
integration = ["aws"]
maturity = "production"
updated_date = "2025/01/10"
updated_date = "2025/12/04"

[rule]
author = ["Elastic"]
description = """
Identifies when the `PutBucketReplication` operation is used to replicate S3 objects to a bucket in another AWS account. Adversaries may use bucket replication to exfiltrate sensitive data to an environment they control.
Identifies the creation or modification of an S3 bucket replication configuration that sends data to a bucket in a
different AWS account. Cross-account replication can be used legitimately for backup, disaster recovery, and
multi-account architectures, but adversaries with write access to an S3 bucket may abuse replication rules to silently
exfiltrate large volumes of data to attacker-controlled accounts. This rule detects "PutBucketReplication" events where
the configured destination account differs from the source bucket's account, indicating potential unauthorized
cross-account data movement.
"""
event_category_override = "event.type"
false_positives = [
"""
Bucket replication accross accounts is a legitimate practice in some AWS environments. Ensure that the sharing is authorized before taking action.
Cross-account S3 replication is common in multi-account AWS Organizations, centralized logging architectures, and
disaster-recovery designs. Confirm whether the destination account is an approved replication target. Unexpected
replication configuration changes should be treated as suspicious.
""",
]
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
language = "eql"
license = "Elastic License v2"
name = "AWS S3 Bucket Replicated to Another Account"
note = """
## Triage and analysis
note = """## Triage and analysis

### Investigating AWS S3 Bucket Replicated to Another Account

This rule identifies when an S3 bucket is replicated to another AWS account. While sharing bucket replication is a common practice, adversaries may exploit this feature to exfiltrate data by replicating objects to external accounts under their control.
Cross-account S3 replication enables automated copying of S3 objects into a different AWS bucket. While useful for backup and organizational data flows, adversaries may exploit it as a covert exfiltration channel. Once replication is configured, any future writes to the bucket are silently copied to the destination bucket—even if object-level access controls block the attacker’s direct downloads. For this reason, unauthorized replication configuration should be considered high-risk.

#### Possible Investigation Steps
This rule detects successful `PutBucketReplication` events and flags cases where the replication configuration specifies a destination AWS account different from the source.

- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
- **Review the Sharing Event**: Identify the S3 bucket involved and review the event details. Look for `PutBucketReplication` actions where an `Account` key-value pair is included signifying replication to an external account.
- **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields in the CloudTrail event to identify the role used and account ID where the bucket was replicated.
- **Verify the Shared Bucket**: Check the S3 bucket that was replicated and its contents to determine the sensitivity of the data stored within it.
- **Validate External Account**: Examine the AWS account to which the bucket was replicated. Determine whether this account is known and previously authorized to access such resources.
- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in S3 configurations. Look for any other recent permissions changes or unusual administrative actions.
- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB backups and snapshots.
#### Possible investigation steps

### False Positive Analysis
**Understand who initiated the replication change**
- Inspect `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to identify the actor.
- Review authentication patterns such as federated session names, role chaining via STS, or unfamiliar IAM roles.
- Examine `source.ip`, `source.geo` fields, and `user_agent.original` for unusual locations, automation tools, or anomalous access paths.

- **Legitimate Backup Actions**: Confirm if the S3 bucket replication aligns with scheduled backups or legitimate automation tasks.
- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
**Examine the replication rule details**
- Inspect `aws.cloudtrail.request_parameters` for:
- The **destination account ID** (`Account=`).
- The **IAM role ARN** used for replication. (`Role=`)
- Any filtering rules (prefixes, tags) that narrow or broaden what will be replicated.

### Response and Remediation
**Determine whether the destination account is authorized**
- Validate whether the destination AWS account belongs to your AWS Organization.
- Check internal documentation, IaC templates, or tagging standards to confirm whether replication to this account is expected.
- Look for prior legitimate infrastructure workflows such as:
- Centralized logging
- Backup/DR accounts
- Cross-region compliance replicas

- **Immediate Review and Reversal**: If the change was unauthorized, update the S3 configurations to remove any unauthorized replication rules.
- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.
- **Policy Update**: Review and possibly update your organization’s policies on S3 bucket/object sharing to tighten control and prevent unauthorized access.
- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.
Unrecognized accounts should be treated as a strong exfiltration signal.

### Additional Information:
**Assess the scope of potential data exposure**
- Determine whether the bucket contains sensitive or regulated data (PII, financial records, secrets, logs, etc.).
- Identify whether object versioning, lifecycle rules, or access logging were modified recently.
- Check for preceding or subsequent actions such as:
- `PutBucketPolicy` updates granting new principals access
- Creation or modification of IAM roles tied to replication
- `DeleteObject` or `PutObjectRetention` attempts that might pair with exfiltration

For further guidance on managing and securing S3 buckets in AWS environments, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security.html/) and AWS best practices for security.
**Correlate with other suspicious activity**
Pivot in CloudTrail on the same principal or same bucket:
- Prior reconnaissance such as `ListBuckets`, `GetBucketReplication`, or `GetBucketPolicy`
- Modification of KMS policies or unexpected encryption key usage
- New access patterns from external IP addresses or unusual automation

### False positive analysis

**Legitimate cross-account replication**
Validate:
- The destination account belongs to a known OU or business unit
- The replication role ARN matches expected automation
- The change aligns with documented deployment or maintenance schedules

**Temporary migrations or transitions**
During account restructuring or workload migration, administrators may temporarily redirect replication to new accounts.

Tuning options:
- Exception lists based on IAM role ARNs
- Tag-based environment scoping
- Change-window-based suppression

### Response and remediation

**Contain potential exfiltration**
- Remove or update replication rules to eliminate unauthorized destinations.
- Disable or restrict the replication IAM role until the investigation is complete.
- Review S3 object access logs to determine whether data has begun replicating to the external account.

**Investigate scope and impact**
- Identify the volume and types of data at risk of replication.
- Determine whether the external bucket shows successful replication traffic (if logs or access are available).
- Assess whether the actor also modified bucket policies, encryption settings, or KMS keys.

**Credential and role hygiene**
- Rotate credentials for the initiating user or role if compromise is suspected.
- Review IAM role trust policies, especially if STS sessions or EC2 role assumptions were involved.
- Enable MFA and tighten conditions for administrative roles capable of modifying replication.

**Hardening and preventive controls**
- Enforce SCPs that restrict cross-account replication except for explicitly approved destinations.
- Require approval workflows before modifying replication or retention settings.
- Use AWS Config and Security Hub controls to detect:
- Buckets with unexpected replication rules
- Newly added cross-account permissions
- Changes to bucket policies, block-public-access settings, or KMS key policies

### Additional information

- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)**
- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)**
- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
"""
references = [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html/",
Expand All @@ -73,21 +139,42 @@ timestamp_override = "event.ingested"
type = "eql"

query = '''
any where event.dataset == "aws.cloudtrail"
info where event.dataset == "aws.cloudtrail"
and event.action == "PutBucketReplication"
and event.outcome == "success"
and stringContains(aws.cloudtrail.request_parameters, "Account")
and stringContains(aws.cloudtrail.request_parameters, "Account=")
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1537"
name = "Transfer Data to Cloud Account"
reference = "https://attack.mitre.org/techniques/T1537/"


[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"

[rule.investigation_fields]
field_names = [
"@timestamp",
"user.name",
"user_agent.original",
"source.ip",
"aws.cloudtrail.user_identity.arn",
"aws.cloudtrail.user_identity.type",
"aws.cloudtrail.user_identity.access_key_id",
"aws.cloudtrail.resources.arn",
"aws.cloudtrail.resources.type",
"target.entity.id",
"event.action",
"event.outcome",
"cloud.account.id",
"cloud.region",
"aws.cloudtrail.request_parameters",
]

Loading