AWS Cloud Trail Aws Exfiltration Via Bucket Replication
Query
// let _ReplicationAWSAccounts = toscalar(
// _GetWatchlist("AccountId-AuditAWSAccounts")
// | where Notes has "[BucketReplication]"
// | summarize make_list(AccountId)
// );
AWSCloudTrail
| where EventName == "PutBucketReplication"
// | extend RequestParameters = todynamic(RequestParameters)
// | mv-expand Rule = iff(isempty(array_length(RequestParameters["ReplicationConfiguration"]["Rule"])), pack_array(RequestParameters["ReplicationConfiguration"]["Rule"]), RequestParameters["ReplicationConfiguration"]["Rule"])
// | extend
// DestinationBucket = tostring(Rule["Destination"]["Bucket"]),
// AccessControlTranslation = tostring(Rule["Destination"]["AccessControlTranslation"]),
// ReplicaOwner = tostring(Rule["Destination"]["Account"])
// | where not(DestionationBucket has_any (_ReplicationAWSAccounts))
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
AWSRegion,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
// DestinationBucket,
// AccessControlTranslation,
// ReplicaOwner,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventIdExplanation
This query is designed to analyze AWS CloudTrail logs specifically for events related to the "PutBucketReplication" action. Here's a simplified breakdown of what the query does:
-
Watchlist Filtering (Commented Out):
- The first part of the query (commented out) is intended to create a list of AWS account IDs from a watchlist named "AccountId-AuditAWSAccounts" that have notes containing "[BucketReplication]". This list is stored in a variable called
_ReplicationAWSAccounts.
- The first part of the query (commented out) is intended to create a list of AWS account IDs from a watchlist named "AccountId-AuditAWSAccounts" that have notes containing "[BucketReplication]". This list is stored in a variable called
-
Filter CloudTrail Logs:
- The query filters the
AWSCloudTraillogs to only include events where theEventNameis "PutBucketReplication". This event indicates that a replication configuration has been set for an S3 bucket.
- The query filters the
-
Invoke AWS Identity Role:
- The query uses the
invoke AWSIdentityRole()function, which likely enriches the data with additional identity-related information.
- The query uses the
-
Project Relevant Fields:
- The query selects (or projects) a specific set of fields from the filtered logs to be displayed. These fields include:
TimeGenerated: The time the event was logged.UserIdentityType,Identity,ActorRole: Information about the user or role that initiated the event.UserIdentityAccountId,UserIdentityAccountName: The account ID and name of the user.RecipientAccountId,RecipientAccountName: The account ID and name of the recipient.AWSRegion: The AWS region where the event occurred.SessionCreationDate: The date the session was created.UserIdentityPrincipalid,UserIdentityArn: Principal ID and ARN of the user.SourceIpAddress: The IP address from which the request was made.EventSource,EventTypeName,EventName: Details about the event source and type.ManagementEvent,ReadOnly: Flags indicating if the event is a management event and if it is read-only.ErrorCode,ErrorMessage: Any error codes or messages associated with the event.RequestParameters,ResponseElements,Resources: Details about the request, response, and resources involved.SessionMfaAuthenticated: Indicates if MFA was used.UserAgent: The user agent string of the requester.AwsEventId: The unique ID of the AWS event.
- The query selects (or projects) a specific set of fields from the filtered logs to be displayed. These fields include:
-
Commented Out Logic:
- There are additional commented-out sections that would further process the
RequestParametersto extract details about the replication configuration, such as the destination bucket and replica owner. These sections are currently not active in the query.
- There are additional commented-out sections that would further process the
Overall, this query is set up to monitor and analyze "PutBucketReplication" events in AWS CloudTrail, providing detailed information about each event and the identities involved.
Details

Jose Sebastián Canós
Released: March 11, 2024
Tables
AWSCloudTrail
Keywords
AWSCloudTrailAWSIdentityRoleEventNameUserIdentityTypeIdentityActorRoleUserIdentityAccountIdUserIdentityAccountNameRecipientAccountIdRecipientAccountNameAWSRegionSessionCreationDateUserIdentityPrincipalidUserIdentityArnSourceIpAddressEventSourceEventTypeNameManagementEventReadOnlyErrorCodeErrorMessageRequestParametersResponseElementsResourcesSessionMfaAuthenticatedUserAgentAwsEventId
Operators
lettoscalar_GetWatchlistwherehassummarizemake_list|==iffisemptyarray_lengthpack_arrayextendtostringnothas_anyinvokeproject