Abuse S3 Replication and Batch Ops to Exfiltrate Data

This fun lab explores the powerful S3 features of replication and batch operations, and how they can be used by threat actors to access sensitive information.

During the external part of the assessment for a client, you identified credentials stored in a zip file for an AWS IAM user. Use these credentials and show the client the impact of this breach!

• Familiarity with the Linux command line
• Familiarity with AWS

• Modify S3 bucket replication settings to exfiltrate new data
• Modify S3 batch operations settings to exfiltrate existing data
• Manual S3 enumeration and rights testing
• Identifying attack vectors with manual IAM enumeration
• Identifying assigned IAM permissions using aws-enumerator

There is often a need for data in the cloud to be replicated, copied, tagged or processed in some other way. S3 replication and batch operations offer a powerful way for organizations to add layers of security (or insecurity...) and automate their workflows. In the cloud (just as with on-premises) there are many (mis)configurations that can be made, and shifting IAM permissions can open up attack vectors. A purple team approach of securing and attempting to attack the configured infrastructure will result in an improved security posture.