S3 Replication only logs first destination bucket
Published Wed, Jul 20th, 2022
Platforms
Summary
If a malicious actor with prior access to an AWS environment has permission to modify the S3 Replication Service role access policy, they could abuse cross-account replication to exfiltrate stolen data to an external bucket under their control. Moreover, when configured to replicate to multiple buckets at once, and if logging is only scoped to specific buckets (as opposed to being set to log "all current and future buckets"), then the S3 Replication Service only logs a putObject event to CloudTrail for the first destination bucket. Thus, as long as the malicious actor's bucket isn't the first replication destination, their activity wouldn't be logged in CloudTrail, and might go undetected.
Affected Services
S3
Remediation
None
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Finalized
Disclosure Date
Tue, Oct 19th, 2021
Exploitability Period
ongoing
Known ITW Exploitation
-
Detection Methods
Monitor for changes to Replication rules (e.g., via the S3BucketChangesAlarm alert in CloudWatch) and note any suspicious destinations.
Piercing Index Rating
-
Discovered by
Kat Traxler
