The Invisible Footprint: How Anonymous S3 Requests Evade AWS Logging
Varonis Threat Labs discovered a logging evasion vulnerability in AWS where anonymous requests to external S3 buckets via VPC endpoints failed to generate CloudTrail Network Activity events. This flaw allowed attackers to invisibly exfiltrate data or download malware from compromised VPCs, though AWS has since patched the issue to ensure these requests are properly logged.
Authors: Varonis Threat Labs
Source:
Varonis
Key Takeaways
- Anonymous requests to external S3 buckets via VPC endpoints previously bypassed AWS CloudTrail Network Activity logging in the source account.
- If a VPC endpoint policy denied access, no logs were generated in either the source or target account, creating a complete visibility blind spot.
- Attackers could exploit this logging gap to invisibly exfiltrate sensitive data or download malware into a compromised VPC.
- AWS has released an update to ensure CloudTrail now logs all anonymous API requests made to external S3 buckets via VPC endpoints.
Affected Systems
- AWS CloudTrail
- Amazon S3
- AWS VPC Endpoints
Attack Chain
An attacker first compromises an internal application server residing within a private AWS VPC. Leveraging an existing VPC endpoint, the attacker initiates anonymous requests to an external, attacker-controlled S3 bucket. Because the requests are anonymous and routed through the VPC endpoint, AWS CloudTrail previously failed to log the network activity in the source account. This allowed the attacker to silently exfiltrate sensitive data or download malicious payloads without triggering security alerts.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but notes that AWS has updated CloudTrail to log these events natively.
Detection Engineering Assessment
EDR Visibility: None — This is a cloud-native logging vulnerability involving AWS infrastructure (CloudTrail, VPC Endpoints, S3), which is outside the scope of traditional endpoint detection and response tools. Network Visibility: Low — Traffic routed through AWS VPC endpoints stays within the AWS backbone network, bypassing traditional perimeter network monitoring tools. Detection Difficulty: Moderate — Prior to the AWS patch, detection was impossible via CloudTrail. Post-patch, detection requires actively monitoring CloudTrail Network Activity events for anonymous access patterns.
Required Log Sources
- AWS CloudTrail Network Activity Events
- AWS CloudTrail Data Events
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Attackers may be using anonymous requests via VPC endpoints to exfiltrate data or download tools. | AWS CloudTrail Network Activity Events | Exfiltration | Low |
Control Gaps
- AWS CloudTrail Network Activity logging (prior to AWS patch)
Key Behavioral Indicators
- CloudTrail events containing userIdentity.accountId set to 'anonymous'
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Review and restrict VPC Endpoint policies to explicitly deny anonymous access.
- Enforce IAM conditions for all requests routed through VPC endpoints.
Infrastructure Hardening
- Regularly audit S3 bucket policies to identify and remediate overly permissive or public access configurations.
User Protection
- N/A
Security Awareness
- Set up automated notifications and alerting for any modifications made to VPC endpoint or S3 bucket policies.
MITRE ATT&CK Mapping
- T1562.008 - Impair Defenses: Disable or Modify Cloud Logs
- T1048 - Exfiltration Over Alternative Protocol
- T1105 - Ingress Tool Transfer
Additional IOCs
- Other:
"accountId": "anonymous"- CloudTrail log artifact indicating an anonymous request, found within the userIdentity object.