Cloud Data Exfiltration
What is Cloud Data Exfiltration?
Cloud Data ExfiltrationThe unauthorized copy or transfer of data out of a cloud account, often via object storage APIs, snapshots, replication, or attacker-controlled accounts.
Cloud data exfiltration is the stage of an intrusion where attackers move data from compromised cloud services to infrastructure they control. Common techniques include S3 GetObject and Sync, copy of EBS or RDS snapshots into attacker accounts via SharePermission, cross-account replication policies, BigQuery and Athena exports, public-share of buckets, and signed URLs with long expiry. Egress can be hidden inside legitimate services such as object versioning or backup tools. Defences combine least-privilege IAM, deny rules on cross-account share for storage and snapshots, VPC endpoints with Service Control Policies, encryption with customer-managed keys, anomalous-traffic detection, and DLP scanning of stored data.
● Examples
- 01
An attacker uses stolen IAM credentials to run aws s3 sync against a sensitive bucket.
- 02
Sharing an RDS snapshot to an external AWS account to dump customer tables.
● Frequently asked questions
What is Cloud Data Exfiltration?
The unauthorized copy or transfer of data out of a cloud account, often via object storage APIs, snapshots, replication, or attacker-controlled accounts. It belongs to the Cloud Security category of cybersecurity.
What does Cloud Data Exfiltration mean?
The unauthorized copy or transfer of data out of a cloud account, often via object storage APIs, snapshots, replication, or attacker-controlled accounts.
How does Cloud Data Exfiltration work?
Cloud data exfiltration is the stage of an intrusion where attackers move data from compromised cloud services to infrastructure they control. Common techniques include S3 GetObject and Sync, copy of EBS or RDS snapshots into attacker accounts via SharePermission, cross-account replication policies, BigQuery and Athena exports, public-share of buckets, and signed URLs with long expiry. Egress can be hidden inside legitimate services such as object versioning or backup tools. Defences combine least-privilege IAM, deny rules on cross-account share for storage and snapshots, VPC endpoints with Service Control Policies, encryption with customer-managed keys, anomalous-traffic detection, and DLP scanning of stored data.
How do you defend against Cloud Data Exfiltration?
Defences for Cloud Data Exfiltration typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Cloud Data Exfiltration?
Common alternative names include: Cloud egress, Cloud bucket exfiltration.
● Related terms
- cloud-security№ 190
Cloud Token Theft
Stealing OAuth, SAML, or signing tokens from a cloud identity service and replaying them to impersonate users or services without needing passwords.
- cloud-security№ 186
Cloud Key Leak
Accidental exposure of long-lived cloud access keys in public repositories, container images, logs, or client-side code, often abused within minutes.
- cloud-security№ 505
IAM Privilege Escalation
Abusing existing cloud IAM permissions to gain higher privileges, often via policy editing, role passing, or self-granting administrative rights.
- cloud-security№ 187
Cloud Metadata SSRF
A server-side request forgery attack that abuses a vulnerable application to query a cloud provider's instance metadata service and steal temporary credentials.
● See also
- № 211Container Escape
- № 079AWS IMDSv1 Attack
- № 598Kubernetes Cluster Attack
- № 255CSPM Finding