Elastic Security Detection Rules

AWS S3 Bucket Replicated to Another Account

Last updated a month ago on 2025-12-04
Created a year ago on 2024-07-12

About

Identifies the creation or modification of an S3 bucket replication configuration that sends data to a bucket in a different AWS account. Cross-account replication can be used legitimately for backup, disaster recovery, and multi-account architectures, but adversaries with write access to an S3 bucket may abuse replication rules to silently exfiltrate large volumes of data to attacker-controlled accounts. This rule detects "PutBucketReplication" events where the configured destination account differs from the source bucket's account, indicating potential unauthorized cross-account data movement.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS S3Use Case: Threat DetectionTactic: ExfiltrationLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Exfiltration (TA0010)(external, opens in a new tab or window)

Transfer Data to Cloud Account (T1537)(external, opens in a new tab or window)

False Positive Examples
Cross-account S3 replication is common in multi-account AWS Organizations, centralized logging architectures, and disaster-recovery designs. Confirm whether the destination account is an approved replication target. Unexpected replication configuration changes should be treated as suspicious.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
info where event.dataset == "aws.cloudtrail"
   and event.action == "PutBucketReplication"
   and event.outcome == "success"
   and stringContains(aws.cloudtrail.request_parameters, "Account=")

Install detection rules in Elastic Security

Detect AWS S3 Bucket Replicated to Another Account in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).