luizmachado.dev

PT EN

Strategies to Mitigate Exfiltration Attacks on Amazon S3

In this post I will be using only AWS services; in a future one I will talk about OpenSource tools that can also help.

---

1. Understanding the risk of exfiltration on S3

An exfiltration consists of extracting or transferring information in an unauthorized manner outside the organization. When it comes to S3, this can occur if:

  • There are excessive permissions in bucket policies or ACLs, allowing public access or access by malicious users.
  • There is no monitoring and logging of activities, making it difficult to detect suspicious downloads or copies of data.
  • There is a lack of encryption and auditing mechanisms, making it easier for an attacker to read and export sensitive data.

---

2. Least privilege access and identity governance

  1. Principle of Least Privilege

- Grant only the permissions necessary for each user, service, or application.

- Avoid broad policies (such as "s3:*") when only a few specific actions are needed (for example, s3:GetObject or s3:PutObject).

  1. Bucket and IAM Policies

- Use bucket policies and IAM policies to restrict access to trusted IP addresses, VPC Endpoints, or specific accounts.

- Consider using Condition Keys, such as aws:SourceVpce, to authorize only traffic originating from an AWS PrivateLink (VPC Endpoint).

  1. S3 Block Public Access

- Enable this setting for all buckets that do not require public access.

- This prevents accidental exposure if someone applies public permissions unintentionally.

  1. Integration with AWS Organizations

- If your company uses multiple accounts, establish Service Control Policies (SCPs) to enforce security controls at the organizational level, restricting unapproved S3 actions.

---

3. Protecting traffic and data

  1. Encryption at rest (Server-Side Encryption)

- Enable default encryption (SSE-S3) or use SSE-KMS for keys managed by AWS KMS, providing granular control over encryption keys and usage logs.

- This approach ensures that even if someone improperly accesses objects, they cannot read their contents without the appropriate keys.

  1. Encryption in transit (HTTPS/TLS)

- Always require HTTPS connections, blocking HTTP requests to prevent interception in transit.

- Configure clients, applications, and services to use aws:SecureTransport as an access condition.

  1. VPC Endpoints for S3

- When using S3 within a VPC, create VPC Endpoints. This way, traffic between the VPC and S3 does not pass through the public internet, reducing the risk of interception or exfiltration via external paths.

  1. S3 Object Lock and Versioning

- Enabling Object Lock in Compliance mode prevents deletion or overwriting of objects before the retention period. This helps protect data against malicious tampering.

- Versioning maintains previous versions of objects, making recovery easier if there is unauthorized modification or removal.

---

4. Monitoring and detecting suspicious activities

  1. S3 Access Logs

- Configure S3 access logs to capture details of each read (GET) or write (PUT) request.

- Store these logs in a separate bucket (with appropriate security policies) for later analysis and auditing.

  1. AWS CloudTrail

- Records all API calls related to S3, such as bucket creation and deletion, policy modifications, object listings, etc.

- Enable CloudTrail Data Events to track specific actions on objects (for example, downloads), helping to identify unusual or unauthorized access.

  1. Amazon GuardDuty

- A threat detection service that monitors suspicious activities, such as massive data extraction or access from malicious IPs.

- Provides exfiltration findings when it detects attack patterns (for example, bucket scanning or abnormal downloads).

  1. Amazon Macie

- Uses machine learning to identify sensitive data stored in S3.

- Helps classify and monitor where confidential information resides, facilitating policy implementation and detection of suspicious access.

  1. AWS Security Hub

- Centralizes security findings from various services (GuardDuty, Macie, Inspector, etc.) in one place.

- Allows creating automations via EventBridge for immediate response (for example, IP blocking or permission removal).

---

5. Automation and incident response

  1. Amazon EventBridge and Lambda

- Create EventBridge rules to trigger Lambda functions when suspicious behavior is detected in logs or security findings.

- Examples:

- Upon detecting an abnormal number of downloads (via CloudTrail Data Events), temporarily isolate the bucket.

- If there is a high-risk GuardDuty finding related to S3, automatically update the bucket policy to block anonymous access.

  1. Automatic Remediation

- Use AWS Config with custom rules to verify that buckets are aligned with security standards (encryption enabled, public access blocked, etc.).

- If something is out of compliance, trigger a script (Lambda) that adjusts the configurations immediately.

  1. Incident Playbooks

- Maintain documented procedures (playbooks) to respond to exfiltration incidents, including steps to trace the origin, block exit points, and collect evidence (logs, screenshots, etc.).

---

6. Audit and Compliance Policies

  1. Manage the Data Lifecycle

- Use S3 Lifecycle Policies to move old data to lower-cost storage tiers (Glacier), reducing the risk surface and limiting the exposure of sensitive data.

- Properly destroy (delete) data that no longer needs to be stored.

  1. Regulatory Compliance

- If your organization is subject to regulations such as LGPD, HIPAA, GDPR, PCI-DSS, or SOC 2, regularly review retention and access policies on S3.

- Configure access alerts (for example, via Macie) when sensitive data is placed in high-risk buckets.

  1. Audit Reports

- Export logs and findings to SIEM (Security Information and Event Management) systems or to AWS Security Hub.

- Generate reports that demonstrate all S3 buckets comply with encryption, logging, and least privilege access requirements.

---

7. Additional best practices

  • Use private paths when serving files, preferring signed URLs (pre-signed URLs) for temporary access instead of leaving objects public.
  • Review periodicity: implement monthly/quarterly reviews of access policies, existing buckets, and sensitive data.
  • Protect IAM credentials (root user, access keys) and apply MFA to all high-privilege accounts, reducing the chance of compromised credentials being used for exfiltration.
  • Segregate environments: buckets containing confidential production data should be isolated from development and testing buckets, preferably in separate accounts within AWS Organizations.

---

Conclusion

Protecting data stored in S3 against exfiltration requires a defense in depth approach, which includes:

  • Strict access control (least privilege, public access blocking).
  • Encryption (at rest and in transit).
  • Monitoring and logging (CloudTrail, Access Logs, Macie, GuardDuty).
  • Automated response (EventBridge, Lambda, AWS Config).
  • Compliance practices (LGPD, PCI, etc.) and more....

As we already know, when it comes to information security nothing is 100%, but by adding layers to the process you significantly reduce the attack surface and make it much harder for an exfiltration attack to succeed. With the rapid evolution of the threat landscape, it is essential to keep your processes, configurations, and policies up to date, ensuring a more secure S3 environment.

awss3securityexfiltrationdata-protection