bucket replication accross accounts is a legitimate practice in some aws environments. ensure that the sharing is authorized before taking action.

t1537
aws
elastic

Techniques

T1537

Sample rules

AWS S3 Bucket Replicated to Another Account

source: elastic
technicques:
- T1537

Description

Identifies when the PutBucketReplication operation is used to replicate S3 objects to a bucket in another AWS account. Adversaries may use bucket replication to exfiltrate sensitive data to an environment they control.

Detection logic

any where event.dataset == "aws.cloudtrail" 
   and event.action == "PutBucketReplication"
   and event.outcome == "success" 
   and stringContains(aws.cloudtrail.request_parameters, "Account")