AWS S3 Bucket Replicated to Another Account

Identifies when the PutBucketReplication operation is used to replicate S3 objects to a bucket in another AWS account. Adversaries may use bucket replication to exfiltrate sensitive data to an environment they control.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/07/12"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2025/01/10"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when the `PutBucketReplication` operation is used to replicate S3 objects to a bucket in another AWS account. Adversaries may use bucket replication to exfiltrate sensitive data to an environment they control.
11"""
12false_positives = [
13    """
14    Bucket replication accross accounts is a legitimate practice in some AWS environments. Ensure that the sharing is authorized before taking action.
15    """,
16]
17from = "now-6m"
18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
19language = "eql"
20license = "Elastic License v2"
21name = "AWS S3 Bucket Replicated to Another Account"
22note = """
23## Triage and analysis
24
25### Investigating AWS S3 Bucket Replicated to Another Account
26
27This rule identifies when an S3 bucket is replicated to another AWS account. While sharing bucket replication is a common practice, adversaries may exploit this feature to exfiltrate data by replicating objects to external accounts under their control.
28
29#### Possible Investigation Steps
30
31- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
32- **Review the Sharing Event**: Identify the S3 bucket involved and review the event details. Look for `PutBucketReplication` actions where an `Account` key-value pair is included signifying replication to an external account.
33    - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields in the CloudTrail event to identify the role used and account ID where the bucket was replicated.
34- **Verify the Shared Bucket**: Check the S3 bucket that was replicated and its contents to determine the sensitivity of the data stored within it.
35- **Validate External Account**: Examine the AWS account to which the bucket was replicated. Determine whether this account is known and previously authorized to access such resources.
36- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in S3 configurations. Look for any other recent permissions changes or unusual administrative actions.
37- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
38- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB backups and snapshots.
39
40### False Positive Analysis
41
42- **Legitimate Backup Actions**: Confirm if the S3 bucket replication aligns with scheduled backups or legitimate automation tasks.
43- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
44
45### Response and Remediation
46
47- **Immediate Review and Reversal**: If the change was unauthorized, update the S3 configurations to remove any unauthorized replication rules.
48- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.
49- **Policy Update**: Review and possibly update your organization’s policies on S3 bucket/object sharing to tighten control and prevent unauthorized access.
50- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.
51
52### Additional Information:
53
54For further guidance on managing and securing S3 buckets in AWS environments, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security.html/) and AWS best practices for security.
55"""
56references = [
57    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html/",
58    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html/",
59]
60risk_score = 47
61rule_id = "d488f026-7907-4f56-ad51-742feb3db01c"
62severity = "medium"
63tags = [
64    "Domain: Cloud",
65    "Data Source: AWS",
66    "Data Source: Amazon Web Services",
67    "Data Source: AWS S3",
68    "Resources: Investigation Guide",
69    "Use Case: Threat Detection",
70    "Tactic: Exfiltration",
71]
72timestamp_override = "event.ingested"
73type = "eql"
74
75query = '''
76any where event.dataset == "aws.cloudtrail"
77   and event.action == "PutBucketReplication"
78   and event.outcome == "success"
79   and stringContains(aws.cloudtrail.request_parameters, "Account")
80'''
81
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84[[rule.threat.technique]]
85id = "T1537"
86name = "Transfer Data to Cloud Account"
87reference = "https://attack.mitre.org/techniques/T1537/"
88
89[rule.threat.tactic]
90id = "TA0010"
91name = "Exfiltration"
92reference = "https://attack.mitre.org/tactics/TA0010/"
...
toml

This rule identifies when an S3 bucket is replicated to another AWS account. While sharing bucket replication is a common practice, adversaries may exploit this feature to exfiltrate data by replicating objects to external accounts under their control.

  • Identify the Actor: Review the aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.access_key_id fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
  • Review the Sharing Event: Identify the S3 bucket involved and review the event details. Look for PutBucketReplication actions where an Account key-value pair is included signifying replication to an external account.
    • Request and Response Parameters: Check the aws.cloudtrail.request_parameters and aws.cloudtrail.response_elements fields in the CloudTrail event to identify the role used and account ID where the bucket was replicated.
  • Verify the Shared Bucket: Check the S3 bucket that was replicated and its contents to determine the sensitivity of the data stored within it.
  • Validate External Account: Examine the AWS account to which the bucket was replicated. Determine whether this account is known and previously authorized to access such resources.
  • Contextualize with Recent Changes: Compare this sharing event against recent changes in S3 configurations. Look for any other recent permissions changes or unusual administrative actions.
  • Correlate with Other Activities: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
  • Interview Relevant Personnel: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB backups and snapshots.
  • Legitimate Backup Actions: Confirm if the S3 bucket replication aligns with scheduled backups or legitimate automation tasks.
  • Consistency Check: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
  • Immediate Review and Reversal: If the change was unauthorized, update the S3 configurations to remove any unauthorized replication rules.
  • Enhance Monitoring and Alerts: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.
  • Policy Update: Review and possibly update your organization’s policies on S3 bucket/object sharing to tighten control and prevent unauthorized access.
  • Incident Response: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.

For further guidance on managing and securing S3 buckets in AWS environments, refer to the AWS S3 documentation and AWS best practices for security.

References

Related rules

to-top