If a malicious actor with prior access to an AWS environment has permission to modify the S3
Replication Service role access policy, they could abuse cross-account replication to exfiltrate
stolen data to an external bucket under their control. Moreover, when configured to replicate
to multiple buckets at once, the S3 Replication Service only logs a putObject event to CloudTrail
for the first destination bucket. Thus, as long as the malicious actor's bucket isn't the first
replication destination, their activity wouldn't be logged in CloudTrail, and might go undetected.
No tracked CVEs