VDB

GCVE-110-CLOUD-2022-0021

GCVE-110-CLOUD-2022-0021
Advisory Published
Vulnetix · Advisory published July 20, 2022
If a malicious actor with prior access to an AWS environment has permission to modify the S3 Replication Service role access policy, they could abuse cross-account replication to exfiltrate stolen data to an external bucket under their control. Moreover, when configured to replicate to multiple buckets at once, and if logging is only scoped to specific buckets (as opposed to being set to log "all current and future buckets"), then the S3 Replication Service only logs a putObject event to CloudTrail for the first destination bucket. Thus, as long as the malicious actor's bucket isn't the first replication destination, their activity wouldn't be logged in CloudTrail, and might go undetected.

Affected Products

VendorProductVersionsPlatforms
AWSS3
AWSConfig
AWSCloudTrail

References

advisory
advisory

Browse GCVE Records

73,738 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›