AWS S3 Bucket Replicated to Another Account

Identifies when the PutBucketReplication operation is used to replicate S3 objects to a bucket in another AWS account. Adversaries may use bucket replication to exfiltrate sensitive data to an environment they control.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/07/12"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2024/07/12"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when the `PutBucketReplication` operation is used to replicate S3 objects to a bucket in another AWS account. Adversaries may use bucket replication to exfiltrate sensitive data to an environment they control.
11"""
12false_positives = [
13    """
14    Bucket replication accross accounts is a legitimate practice in some AWS environments. Ensure that the sharing is authorized before taking action.
15    """,
16]
17from = "now-6m"
18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
19language = "eql"
20license = "Elastic License v2"
21name = "AWS S3 Bucket Replicated to Another Account"
22note = """
23## Triage and Analysis
24
25### Investigating AWS S3 Bucket Replicated to Another Account
26
27This rule identifies when an S3 bucket is replicated to another AWS account. While sharing bucket replication is a common practice, adversaries may exploit this feature to exfiltrate data by replicating objects to external accounts under their control.
28
29#### Possible Investigation Steps
30
31- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
32- **Review the Sharing Event**: Identify the S3 bucket involved and review the event details. Look for `PutBucketReplication` actions where an `Account` key-value pair is included signifying replication to an external account.
33    - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields in the CloudTrail event to identify the role used and account ID where the bucket was replicated.
34- **Verify the Shared Bucket**: Check the S3 bucket that was replicated and its contents to determine the sensitivity of the data stored within it.
35- **Validate External Account**: Examine the AWS account to which the bucket was replicated. Determine whether this account is known and previously authorized to access such resources.
36- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in S3 configurations. Look for any other recent permissions changes or unusual administrative actions.
37- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
38- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB backups and snapshots.
39
40### False Positive Analysis
41
42- **Legitimate Backup Actions**: Confirm if the S3 bucket replication aligns with scheduled backups or legitimate automation tasks.
43- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
44
45### Response and Remediation
46
47- **Immediate Review and Reversal**: If the change was unauthorized, update the S3 configurations to remove any unauthorized replication rules.
48- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.
49- **Policy Update**: Review and possibly update your organization’s policies on S3 bucket/object sharing to tighten control and prevent unauthorized access.
50- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.
51
52### Additional Information:
53
54For further guidance on managing and securing S3 buckets in AWS environments, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security.html/) and AWS best practices for security.
55"""
56references = [
57    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html/",
58    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html/",
59]
60risk_score = 47
61rule_id = "d488f026-7907-4f56-ad51-742feb3db01c"
62severity = "medium"
63tags = [
64    "Domain: Cloud",
65    "Data Source: AWS",
66    "Data Source: Amazon Web Services",
67    "Data Source: AWS S3",
68    "Resources: Investigation Guide",
69    "Use Case: Threat Detection",
70    "Tactic: Exfiltration",
71]
72timestamp_override = "event.ingested"
73type = "eql"
74
75query = '''
76any where event.dataset == "aws.cloudtrail" 
77   and event.action == "PutBucketReplication"
78   and event.outcome == "success" 
79   and stringContains(aws.cloudtrail.request_parameters, "Account")
80'''
81
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84[[rule.threat.technique]]
85id = "T1537"
86name = "Transfer Data to Cloud Account"
87reference = "https://attack.mitre.org/techniques/T1537/"
88
89[rule.threat.tactic]
90id = "TA0010"
91name = "Exfiltration"
92reference = "https://attack.mitre.org/tactics/TA0010/"

Triage and Analysis

Investigating AWS S3 Bucket Replicated to Another Account

This rule identifies when an S3 bucket is replicated to another AWS account. While sharing bucket replication is a common practice, adversaries may exploit this feature to exfiltrate data by replicating objects to external accounts under their control.

Possible Investigation Steps

  • Identify the Actor: Review the aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.access_key_id fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
  • Review the Sharing Event: Identify the S3 bucket involved and review the event details. Look for PutBucketReplication actions where an Account key-value pair is included signifying replication to an external account.
    • Request and Response Parameters: Check the aws.cloudtrail.request_parameters and aws.cloudtrail.response_elements fields in the CloudTrail event to identify the role used and account ID where the bucket was replicated.
  • Verify the Shared Bucket: Check the S3 bucket that was replicated and its contents to determine the sensitivity of the data stored within it.
  • Validate External Account: Examine the AWS account to which the bucket was replicated. Determine whether this account is known and previously authorized to access such resources.
  • Contextualize with Recent Changes: Compare this sharing event against recent changes in S3 configurations. Look for any other recent permissions changes or unusual administrative actions.
  • Correlate with Other Activities: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
  • Interview Relevant Personnel: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB backups and snapshots.

False Positive Analysis

  • Legitimate Backup Actions: Confirm if the S3 bucket replication aligns with scheduled backups or legitimate automation tasks.
  • Consistency Check: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.

Response and Remediation

  • Immediate Review and Reversal: If the change was unauthorized, update the S3 configurations to remove any unauthorized replication rules.
  • Enhance Monitoring and Alerts: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.
  • Policy Update: Review and possibly update your organization’s policies on S3 bucket/object sharing to tighten control and prevent unauthorized access.
  • Incident Response: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.

Additional Information:

For further guidance on managing and securing S3 buckets in AWS environments, refer to the AWS S3 documentation and AWS best practices for security.

References

Related rules

to-top