mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 22:19:39 +03:00
326 lines
12 KiB
Markdown
326 lines
12 KiB
Markdown
---
|
|
name: detecting-s3-data-exfiltration-attempts
|
|
description: >
|
|
Detecting data exfiltration attempts from AWS S3 buckets by analyzing CloudTrail S3
|
|
data events, VPC Flow Logs, GuardDuty findings, Amazon Macie alerts, and S3 access
|
|
patterns to identify unauthorized bulk downloads and cross-account data transfers.
|
|
domain: cybersecurity
|
|
subdomain: cloud-security
|
|
tags: [cloud-security, aws, s3, data-exfiltration, guardduty, macie, threat-detection]
|
|
version: "1.0"
|
|
author: mahipal
|
|
license: MIT
|
|
---
|
|
|
|
# Detecting S3 Data Exfiltration Attempts
|
|
|
|
## When to Use
|
|
|
|
- When GuardDuty detects anomalous S3 access patterns such as bulk downloads from unusual IPs
|
|
- When investigating suspected data breach involving S3-stored sensitive data
|
|
- When building detection rules for S3 data loss prevention monitoring
|
|
- When responding to Macie alerts about sensitive data being accessed or moved
|
|
- When compliance requires monitoring and logging of all access to classified data stores
|
|
|
|
**Do not use** for preventing data exfiltration (use S3 bucket policies, VPC endpoints, and SCPs), for data classification (use Amazon Macie discovery jobs), or for network-level exfiltration detection (use VPC Flow Logs with network analysis tools).
|
|
|
|
## Prerequisites
|
|
|
|
- CloudTrail configured with S3 data event logging (`GetObject`, `PutObject`, `CopyObject`)
|
|
- GuardDuty enabled with S3 Protection feature activated
|
|
- Amazon Macie enabled for sensitive data discovery in target buckets
|
|
- CloudWatch Logs or Athena for querying CloudTrail logs at scale
|
|
- VPC endpoint policies configured for S3 access monitoring
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Enable S3 Data Event Logging in CloudTrail
|
|
|
|
Configure CloudTrail to capture all S3 object-level operations for forensic analysis.
|
|
|
|
```bash
|
|
# Enable S3 data events on an existing trail
|
|
aws cloudtrail put-event-selectors \
|
|
--trail-name management-trail \
|
|
--event-selectors '[{
|
|
"ReadWriteType": "All",
|
|
"IncludeManagementEvents": true,
|
|
"DataResources": [{
|
|
"Type": "AWS::S3::Object",
|
|
"Values": ["arn:aws:s3:::sensitive-data-bucket/", "arn:aws:s3:::customer-records/"]
|
|
}]
|
|
}]'
|
|
|
|
# Verify data event configuration
|
|
aws cloudtrail get-event-selectors --trail-name management-trail \
|
|
--query 'EventSelectors[*].DataResources' --output json
|
|
|
|
# Enable GuardDuty S3 Protection
|
|
aws guardduty update-detector \
|
|
--detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
|
|
--data-sources '{"S3Logs":{"Enable":true}}'
|
|
```
|
|
|
|
### Step 2: Query CloudTrail for Anomalous S3 Access Patterns
|
|
|
|
Analyze CloudTrail logs for bulk download activity, unusual access times, and unfamiliar source IPs.
|
|
|
|
```bash
|
|
# Athena query: Top S3 downloaders by volume in last 24 hours
|
|
cat << 'EOF'
|
|
SELECT
|
|
useridentity.arn as principal,
|
|
sourceipaddress,
|
|
COUNT(*) as request_count,
|
|
SUM(CAST(json_extract_scalar(requestparameters, '$.bytesTransferredOut') AS bigint)) as bytes_downloaded
|
|
FROM cloudtrail_logs
|
|
WHERE eventname = 'GetObject'
|
|
AND eventsource = 's3.amazonaws.com'
|
|
AND eventtime > date_add('hour', -24, now())
|
|
GROUP BY useridentity.arn, sourceipaddress
|
|
ORDER BY request_count DESC
|
|
LIMIT 50
|
|
EOF
|
|
|
|
# CloudWatch Logs Insights: S3 GetObject requests from unusual IPs
|
|
aws logs start-query \
|
|
--log-group-name cloudtrail-logs \
|
|
--start-time $(date -d "24 hours ago" +%s) \
|
|
--end-time $(date +%s) \
|
|
--query-string '
|
|
fields @timestamp, userIdentity.arn, sourceIPAddress, requestParameters.bucketName, requestParameters.key
|
|
| filter eventName = "GetObject"
|
|
| stats count() as requestCount by sourceIPAddress, userIdentity.arn
|
|
| sort requestCount desc
|
|
| limit 25
|
|
'
|
|
|
|
# Detect cross-account copies (potential exfiltration)
|
|
aws logs start-query \
|
|
--log-group-name cloudtrail-logs \
|
|
--start-time $(date -d "7 days ago" +%s) \
|
|
--end-time $(date +%s) \
|
|
--query-string '
|
|
fields @timestamp, userIdentity.arn, sourceIPAddress, requestParameters.bucketName
|
|
| filter eventName in ["CopyObject", "ReplicateObject", "UploadPart"]
|
|
| filter userIdentity.accountId != "OUR_ACCOUNT_ID"
|
|
| sort @timestamp desc
|
|
| limit 100
|
|
'
|
|
```
|
|
|
|
### Step 3: Review GuardDuty S3 Findings
|
|
|
|
Check for GuardDuty S3-specific finding types that indicate exfiltration activity.
|
|
|
|
```bash
|
|
# List active S3 exfiltration-related findings
|
|
aws guardduty list-findings \
|
|
--detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
|
|
--finding-criteria '{
|
|
"Criterion": {
|
|
"type": {
|
|
"Eq": [
|
|
"Exfiltration:S3/MaliciousIPCaller",
|
|
"Exfiltration:S3/ObjectRead.Unusual",
|
|
"Discovery:S3/MaliciousIPCaller.Custom",
|
|
"Discovery:S3/BucketEnumeration.Unusual",
|
|
"UnauthorizedAccess:S3/MaliciousIPCaller.Custom",
|
|
"UnauthorizedAccess:S3/TorIPCaller",
|
|
"Impact:S3/AnomalousBehavior.Delete"
|
|
]
|
|
}
|
|
}
|
|
}' --output json
|
|
|
|
# Get detailed finding information
|
|
aws guardduty get-findings \
|
|
--detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
|
|
--finding-ids FINDING_IDS \
|
|
--query 'Findings[*].{Type:Type,Severity:Severity,Resource:Resource.S3BucketDetails[0].Name,Action:Service.Action}' \
|
|
--output table
|
|
```
|
|
|
|
### Step 4: Analyze Macie Findings for Sensitive Data Access
|
|
|
|
Review Macie findings to correlate data sensitivity with access anomalies.
|
|
|
|
```bash
|
|
# List Macie findings for sensitive data exposure
|
|
aws macie2 list-findings \
|
|
--finding-criteria '{
|
|
"criterion": {
|
|
"category": {"eq": ["CLASSIFICATION"]},
|
|
"severity.description": {"eq": ["High", "Critical"]}
|
|
}
|
|
}' \
|
|
--sort-criteria '{"attributeName": "updatedAt", "orderBy": "DESC"}' \
|
|
--max-results 25
|
|
|
|
# Get detailed finding with data classification
|
|
aws macie2 get-findings \
|
|
--finding-ids FINDING_IDS \
|
|
--query 'findings[*].{Type:type,Severity:severity.description,Bucket:resourcesAffected.s3Bucket.name,SensitiveDataTypes:classificationDetails.result.sensitiveData[*].category}' \
|
|
--output table
|
|
|
|
# Run a sensitive data discovery job on target bucket
|
|
aws macie2 create-classification-job \
|
|
--job-type ONE_TIME \
|
|
--name "exfiltration-investigation" \
|
|
--s3-job-definition '{
|
|
"bucketDefinitions": [{
|
|
"accountId": "ACCOUNT_ID",
|
|
"buckets": ["sensitive-data-bucket"]
|
|
}]
|
|
}'
|
|
```
|
|
|
|
### Step 5: Build Automated Detection Rules
|
|
|
|
Create CloudWatch alarms and EventBridge rules for real-time exfiltration detection.
|
|
|
|
```bash
|
|
# CloudWatch metric filter for high-volume S3 downloads
|
|
aws logs put-metric-filter \
|
|
--log-group-name cloudtrail-logs \
|
|
--filter-name s3-bulk-download \
|
|
--filter-pattern '{$.eventName = "GetObject" && $.eventSource = "s3.amazonaws.com"}' \
|
|
--metric-transformations '[{
|
|
"metricName": "S3GetObjectCount",
|
|
"metricNamespace": "SecurityMetrics",
|
|
"metricValue": "1",
|
|
"defaultValue": 0
|
|
}]'
|
|
|
|
# Alarm for anomalous download volume (>1000 objects/hour)
|
|
aws cloudwatch put-metric-alarm \
|
|
--alarm-name s3-exfiltration-alert \
|
|
--metric-name S3GetObjectCount \
|
|
--namespace SecurityMetrics \
|
|
--statistic Sum \
|
|
--period 3600 \
|
|
--threshold 1000 \
|
|
--comparison-operator GreaterThanThreshold \
|
|
--evaluation-periods 1 \
|
|
--alarm-actions arn:aws:sns:us-east-1:ACCOUNT:security-alerts
|
|
|
|
# EventBridge rule for GuardDuty S3 findings
|
|
aws events put-rule \
|
|
--name guardduty-s3-exfiltration \
|
|
--event-pattern '{
|
|
"source": ["aws.guardduty"],
|
|
"detail-type": ["GuardDuty Finding"],
|
|
"detail": {
|
|
"type": [{"prefix": "Exfiltration:S3/"}]
|
|
}
|
|
}'
|
|
```
|
|
|
|
### Step 6: Implement Preventive Controls
|
|
|
|
Deploy bucket policies and VPC endpoint policies to restrict data movement paths.
|
|
|
|
```bash
|
|
# VPC endpoint policy restricting S3 access to specific buckets
|
|
aws ec2 modify-vpc-endpoint \
|
|
--vpc-endpoint-id vpce-ENDPOINT_ID \
|
|
--policy-document '{
|
|
"Statement": [{
|
|
"Sid": "RestrictToOwnBuckets",
|
|
"Effect": "Allow",
|
|
"Principal": "*",
|
|
"Action": ["s3:GetObject", "s3:PutObject"],
|
|
"Resource": ["arn:aws:s3:::approved-bucket-1/*", "arn:aws:s3:::approved-bucket-2/*"]
|
|
}]
|
|
}'
|
|
|
|
# Bucket policy denying access from outside the VPC
|
|
aws s3api put-bucket-policy --bucket sensitive-data-bucket --policy '{
|
|
"Version": "2012-10-17",
|
|
"Statement": [{
|
|
"Sid": "DenyNonVpcAccess",
|
|
"Effect": "Deny",
|
|
"Principal": "*",
|
|
"Action": "s3:GetObject",
|
|
"Resource": "arn:aws:s3:::sensitive-data-bucket/*",
|
|
"Condition": {
|
|
"StringNotEquals": {
|
|
"aws:sourceVpce": "vpce-ENDPOINT_ID"
|
|
}
|
|
}
|
|
}]
|
|
}'
|
|
```
|
|
|
|
## Key Concepts
|
|
|
|
| Term | Definition |
|
|
|------|------------|
|
|
| S3 Data Events | CloudTrail object-level logging that captures GetObject, PutObject, DeleteObject, and CopyObject API calls with request details |
|
|
| GuardDuty S3 Protection | Threat detection feature analyzing CloudTrail S3 data events to identify anomalous access patterns and exfiltration attempts |
|
|
| Amazon Macie | Data security service that discovers and classifies sensitive data in S3 and generates findings for data exposure risks |
|
|
| VPC Endpoint Policy | Access control policy on an S3 VPC endpoint that restricts which buckets and actions can be accessed through the endpoint |
|
|
| Data Exfiltration | Unauthorized transfer of data from an organization's S3 storage to an external location controlled by an attacker |
|
|
| Anomalous Behavior Detection | Machine learning-based identification of S3 access patterns that deviate from established baselines for a principal |
|
|
|
|
## Tools & Systems
|
|
|
|
- **AWS CloudTrail**: Audit logging of S3 object-level operations for forensic analysis and anomaly detection
|
|
- **Amazon GuardDuty**: ML-based threat detection with S3-specific finding types for exfiltration and unauthorized access
|
|
- **Amazon Macie**: Sensitive data discovery and classification for correlating access anomalies with data sensitivity
|
|
- **Amazon Athena**: SQL query engine for analyzing CloudTrail logs at scale to identify bulk download patterns
|
|
- **CloudWatch Logs Insights**: Real-time log analysis for building detection queries against CloudTrail data
|
|
|
|
## Common Scenarios
|
|
|
|
### Scenario: Compromised IAM Credentials Used for Bulk S3 Data Download
|
|
|
|
**Context**: GuardDuty reports an `Exfiltration:S3/ObjectRead.Unusual` finding indicating that a developer's access key is downloading thousands of objects from a sensitive data bucket at 3 AM from an IP address in a foreign country.
|
|
|
|
**Approach**:
|
|
1. Immediately deactivate the compromised access key
|
|
2. Query CloudTrail for all S3 actions by the compromised principal in the last 72 hours
|
|
3. Identify which buckets and objects were accessed using Athena queries
|
|
4. Cross-reference accessed objects with Macie classifications to assess data sensitivity
|
|
5. Check for CopyObject calls to external accounts (cross-account exfiltration)
|
|
6. Review how the credentials were compromised (TruffleHog scan, phishing investigation)
|
|
7. Implement VPC endpoint policies to restrict future S3 access to approved network paths
|
|
|
|
**Pitfalls**: CloudTrail S3 data events can generate massive log volume. Use Athena with partitioned tables rather than CloudWatch Logs Insights for queries spanning more than 24 hours. GuardDuty baseline learning requires 7-14 days, so new accounts may generate false positives for normal access patterns.
|
|
|
|
## Output Format
|
|
|
|
```
|
|
S3 Data Exfiltration Investigation Report
|
|
============================================
|
|
Account: 123456789012
|
|
Detection Source: GuardDuty Exfiltration:S3/ObjectRead.Unusual
|
|
Investigation Date: 2026-02-23
|
|
|
|
INCIDENT TIMELINE:
|
|
2026-02-23 02:47 UTC - First anomalous GetObject from 185.x.x.x
|
|
2026-02-23 02:47-04:12 UTC - 12,847 GetObject requests
|
|
2026-02-23 04:15 UTC - GuardDuty finding generated
|
|
2026-02-23 04:20 UTC - PagerDuty alert received by SOC
|
|
2026-02-23 04:25 UTC - Access key deactivated
|
|
|
|
COMPROMISED PRINCIPAL:
|
|
ARN: arn:aws:iam::123456789012:user/developer-jane
|
|
Access Key: AKIA...WXYZ
|
|
Source IP: 185.x.x.x (Tor exit node)
|
|
|
|
DATA IMPACT ASSESSMENT:
|
|
Buckets accessed: 3
|
|
Objects downloaded: 12,847
|
|
Total data volume: 4.7 GB
|
|
Sensitive data types: PII (SSN, email), Financial (credit card)
|
|
Macie severity: CRITICAL
|
|
|
|
CONTAINMENT ACTIONS:
|
|
[x] Access key deactivated
|
|
[x] User password reset and MFA re-enrolled
|
|
[x] VPC endpoint policy applied to sensitive buckets
|
|
[x] Bucket policy restricting to VPC-only access
|
|
[x] TruffleHog scan initiated on developer repositories
|
|
```
|