AWS S3 Bucket Policy Added to Share with External Account

Identifies an AWS S3 bucket policy change to share permissions with an external account. Adversaries may attempt to backdoor an S3 bucket by sharing it with an external account. This can be used to exfiltrate data or to provide access to other adversaries. This rule identifies changes to a bucket policy via the PutBucketPolicy API call where the policy includes an Effect=Allow statement that does not contain the AWS account ID of the bucket owner.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/04/17"
  3integration = ["aws"]
  4maturity = "production"
  5min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
  6min_stack_version = "8.9.0"
  7updated_date = "2024/05/29"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies an AWS S3 bucket policy change to share permissions with an external account. Adversaries may attempt to
 13backdoor an S3 bucket by sharing it with an external account. This can be used to exfiltrate data or to provide access
 14to other adversaries. This rule identifies changes to a bucket policy via the `PutBucketPolicy` API call where the
 15policy includes an `Effect=Allow` statement that does not contain the AWS account ID of the bucket owner.
 16"""
 17false_positives = [
 18    """
 19    Legitimate changes to share an S3 bucket with an external account may be identified as false positive but are not
 20    best practice.
 21    """,
 22]
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "AWS S3 Bucket Policy Added to Share with External Account"
 27note = """
 28
 29## Triage and Analysis
 30
 31### Investigating AWS S3 Bucket Policy Change to Share with External Account
 32
 33This rule detects when an AWS S3 bucket policy is changed to share permissions with an external account. Adversaries may attempt to backdoor an S3 bucket by sharing it with an external account to exfiltrate data or provide access to other adversaries. This rule identifies changes to a bucket policy via the `PutBucketPolicy` API call where the policy includes an `Effect=Allow` statement that does not contain the AWS account ID of the bucket owner.
 34
 35#### Possible Investigation Steps:
 36
 37- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
 38- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the bucket policy. Look for any unusual parameters that could suggest unauthorized or malicious modifications.
 39- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
 40- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.
 41- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
 42
 43### False Positive Analysis:
 44
 45- **Legitimate Administrative Actions**: Confirm if the bucket policy change aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.
 46- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
 47- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.
 48
 49### Response and Remediation:
 50
 51- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the bucket policy to remove any unauthorized permissions and restore it to its previous state.
 52- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.
 53- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning bucket policy management and sharing permissions.
 54- **Audit Bucket Policies and Permissions**: Conduct a comprehensive audit of all bucket policies and associated permissions to ensure they adhere to the principle of least privilege.
 55- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.
 56
 57### Additional Information:
 58
 59For further guidance on managing S3 bucket policies and securing AWS environments, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html) and AWS best practices for security.
 60"""
 61references = [
 62    "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy/",
 63    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html",
 64]
 65risk_score = 47
 66rule_id = "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce"
 67setup = """
 68
 69## Setup
 70
 71S3 data event types must be collected in the AWS CloudTrail logs. Please refer to [AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html) for more information.
 72"""
 73severity = "medium"
 74tags = [
 75    "Domain: Cloud",
 76    "Data Source: AWS",
 77    "Data Source: Amazon Web Services",
 78    "Data Source: AWS S3",
 79    "Use Case: Threat Detection",
 80    "Tactic: Exfiltration",
 81]
 82timestamp_override = "event.ingested"
 83type = "eql"
 84
 85query = '''
 86any where event.dataset == "aws.cloudtrail"
 87    and event.provider == "s3.amazonaws.com"
 88    and event.action == "PutBucketPolicy" and event.outcome == "success"
 89    and stringContains(aws.cloudtrail.request_parameters, "Effect=Allow")
 90    and not stringContains(aws.cloudtrail.request_parameters, aws.cloudtrail.recipient_account_id)
 91'''
 92
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1537"
 98name = "Transfer Data to Cloud Account"
 99reference = "https://attack.mitre.org/techniques/T1537/"
100
101
102[rule.threat.tactic]
103id = "TA0010"
104name = "Exfiltration"
105reference = "https://attack.mitre.org/tactics/TA0010/"

Triage and Analysis

Investigating AWS S3 Bucket Policy Change to Share with External Account

This rule detects when an AWS S3 bucket policy is changed to share permissions with an external account. Adversaries may attempt to backdoor an S3 bucket by sharing it with an external account to exfiltrate data or provide access to other adversaries. This rule identifies changes to a bucket policy via the PutBucketPolicy API call where the policy includes an Effect=Allow statement that does not contain the AWS account ID of the bucket owner.

Possible Investigation Steps:

  • Identify the Actor: Review the aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.access_key_id fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
  • Review the Request Details: Examine the aws.cloudtrail.request_parameters to understand the specific changes made to the bucket policy. Look for any unusual parameters that could suggest unauthorized or malicious modifications.
  • Analyze the Source of the Request: Investigate the source.ip and source.geo fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
  • Contextualize with Timestamp: Use the @timestamp field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.
  • Correlate with Other Activities: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.

False Positive Analysis:

  • Legitimate Administrative Actions: Confirm if the bucket policy change aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.
  • Consistency Check: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
  • Verify through Outcomes: Check the aws.cloudtrail.response_elements and the event.outcome to confirm if the change was successful and intended according to policy.

Response and Remediation:

  • Immediate Review and Reversal if Necessary: If the change was unauthorized, update the bucket policy to remove any unauthorized permissions and restore it to its previous state.
  • Enhance Monitoring and Alerts: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.
  • Educate and Train: Provide additional training to users with administrative rights on the importance of security best practices concerning bucket policy management and sharing permissions.
  • Audit Bucket Policies and Permissions: Conduct a comprehensive audit of all bucket policies and associated permissions to ensure they adhere to the principle of least privilege.
  • Incident Response: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.

Additional Information:

For further guidance on managing S3 bucket policies and securing AWS environments, refer to the AWS S3 documentation and AWS best practices for security.

References

Related rules

to-top