AWS S3 Bucket Policy Added to Share with External Account

Last updated 14 days ago on 2025-01-17

Created 9 months ago on 2024-04-17

About

Identifies an AWS S3 bucket policy change to share permissions with an external account. Adversaries may attempt to backdoor an S3 bucket by sharing it with an external account. This can be used to exfiltrate data or to provide access to other adversaries. This rule identifies changes to a bucket policy via the `PutBucketPolicy` API call where the policy includes an `Effect=Allow` statement that does not contain the AWS account ID of the bucket owner.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS S3Use Case: Threat DetectionTactic: ExfiltrationLanguage: eql

Severity

medium

Risk Score

MITRE ATT&CK™

Exfiltration (TA0010)(opens in a new tab or window)

↳ Transfer Data to Cloud Account (T1537)(opens in a new tab or window)

False Positive Examples

Legitimate changes to share an S3 bucket with an external account may be identified as false positive but are not best practice.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-aws.cloudtrail-*
Related Integrations: aws(opens in a new tab or window)
Query

any where event.dataset == "aws.cloudtrail"
    and event.provider == "s3.amazonaws.com"
    and event.action == "PutBucketPolicy" and event.outcome == "success"
    and stringContains(aws.cloudtrail.request_parameters, "Effect=Allow")
    and not stringContains(aws.cloudtrail.request_parameters, aws.cloudtrail.recipient_account_id)

Install detection rules in Elastic Security

Detect AWS S3 Bucket Policy Added to Share with External Account in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).