cross-account s3 replication is common in multi-account aws organizations, centralized logging architectures, and disaster-recovery designs. confirm whether the destination account is an approved replication target. unexpected replication configuration changes should be treated as suspicious.

t1537
aws
elastic

Techniques

T1537

Sample rules

AWS S3 Bucket Replicated to Another Account

source: elastic
technicques:
- T1537

Description

Identifies the creation or modification of an S3 bucket replication configuration that sends data to a bucket in a different AWS account. Cross-account replication can be used legitimately for backup, disaster recovery, and multi-account architectures, but adversaries with write access to an S3 bucket may abuse replication rules to silently exfiltrate large volumes of data to attacker-controlled accounts. This rule detects “PutBucketReplication” events where the configured destination account differs from the source bucket’s account, indicating potential unauthorized cross-account data movement.

Detection logic

info where event.dataset == "aws.cloudtrail"
   and event.action == "PutBucketReplication"
   and event.outcome == "success"
   and stringContains(aws.cloudtrail.request_parameters, "Account=")