Unauthorized S3 Data Access and Leak

28 May, 2025

Hola!

This time I worked on an inside threat simulation based on PR004 on S3 Access logs. Some sensitive data was leaked.

Incident Overview

Insiderthreatmatrix Reference: PR004
Summary: An insider threat simulation revealed unauthorized access to sensitive data stored in an Amazon S3 bucket, resulting in a data leak. The incident was identified through analysis of S3 access logs and CloudTrail logs, with indications of anti-forensic activity (AF009).

Incident Details

• Discovery: The incident was detected during a simulation exercise analyzing S3 access logs. Sensitive data was accessed and leaked due to overly permissive access policies.
• Data Affected: Confidential files stored in an S3 bucket configured with Amazon S3 Glacier Bulk retrieval.
• Access Method: Unauthorized access was facilitated by a policy granting excessive permissions (e.g., GrantFullAccess).
• Anti-Forensic Activity: Logs showed evidence of tampering, complicating the investigation, as described in AF009.

Timeline

• May 28, 2025, 09:00 AM CEST: Simulation exercise initiated, focusing on S3 access logs.
• May 28, 2025, 09:10 AM CEST: Identified unauthorized access to sensitive data via Bulk retrieval from an S3 Glacier bucket.
• May 28, 2025, 09:12 AM CEST: Confirmed anti-forensic activity in logs, suggesting deliberate obfuscation.
• May 28, 2025, 09:15 AM CEST: Report drafted and sent for review.

Analysis

• Access Policies: Policies like GrantFullAccess were overly permissive, allowing unauthorized access to the S3 bucket.
• Bucket Configuration: The bucket was set to S3 Glacier with Bulk retrieval (5–48 hours), indicating low monitoring priority for sensitive data, which delayed detection.
• Canary Tokens: No canary tokens were implemented, missing an opportunity for early detection of unauthorized access.
• Anti-Forensic Activity: Log corrections suggested deliberate tampering, aligning with AF009.
• SIEM Integration: CloudTrail logs require further investigation using Splunk to identify actions by the user "Tim."

Findings

• Sensitive data was accessed and leaked due to misconfigured access policies.
• Lack of proactive monitoring (e.g., canary tokens) and delayed retrieval notifications (5–48 hours) hindered timely detection.
• Anti-forensic activity obscured the investigation, requiring deeper log analysis.
• JSON naming conventions and S3 access log structures were critical in identifying the incident.

Recommendations

• Policy Review: Audit and revise S3 access policies to enforce least privilege, removing overly permissive roles like GrantFullAccess.
• Canary Tokens: Implement canary tokens in sensitive S3 buckets to detect unauthorized access early.
• Monitoring Enhancements: Adjust S3 Glacier retrieval settings for critical data to prioritize faster retrieval tiers (e.g., Standard or Expedited) and enable real-time notifications.
• SIEM Analysis: Conduct a detailed review of CloudTrail logs in Splunk, focusing on user "Tim" and related activities.
• Training: Educate staff on secure policy naming conventions and log analysis to improve incident detection and response.
• Anti-Forensic Measures: Implement stricter log integrity checks to detect and prevent tampering.

Conclusion

The simulation is complete, and a light report version was written here. As a capture-the-flag exercise, it was cool to get a grip on the log JSON naming conventions, S3 access logs, policies, and event names.

Discuss this post: Bluesky