S3 Data Exfiltration via Cross Account Replication

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects S3 bucket replication configuration changes that could indicate data exfiltration to external accounts.

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "All S3 Bucket Activity" AND (REQUESTPARAMETERS contains "ReplicationConfiguration" AND REQUESTPARAMETERS contains "Destination") select Action1.CALLER,Action1.SOURCE,Action1.LOG_EVENT_NAME,Action1.EVENTSOURCE,Action1.IPADDRESS,Action1.BUCKETNAME,Action1.REQUESTPARAMETERS

Detection

Execution Mode

realtime

Log Sources

AWS