SOC Dashboard/Incidents/INC-4419

INC-4419CriticalOpenAWS

Suspected Data Exfiltration — S3 Bucket prod-customer-data-eu

MITRE ATT&CK:Initial Access→Execution→Privilege Escalation→Lateral Movement→Exfiltration

Account: prod-aws-eu-west-1

Region: eu-west-1

Detected: 2026-05-29 12:48 UTC

Duration: 37 min open

Alerts: 14 correlated

Assignee: S. Okonkwo

Event Timeline· 12 events · Oldest first

12:34:11 UTC

Analyst S. Okonkwo acknowledged alert ALT-88241

AISOC Platform · Manual action

Alert: Unusual Lambda invocation rate | Action: Acknowledged, assigned to self

12:36:47 UTCCollection

Unusual KMS key usage — decrypt operations from Lambda

AWS CloudTrail · kms.amazonaws.com Decrypt

Key: arn:aws:kms:eu-west-1:441029384712:key/mrk-a1b2c3 | Calls: 4,821 in 8 minutes

12:38:05 UTCCollection

AWS Macie detected PII in s3://prod-customer-data-eu

AWS Macie · SensitiveData:S3Object/Personal

Objects flagged: 4,821 | Data types: SSN, credit card numbers, email addresses

PII classification confirmed prior to exfiltration — attacker likely conducted reconnaissance.

12:39:22 UTCLowDiscovery

Port scan detected from 185.220.101.47 on prod subnet

AWS Network Firewall · Suricata rule ET SCAN

Ports scanned: 22, 443, 8080, 9200, 6379 | Duration: 4m 12s

12:40:51 UTCInitial Access

svc-etl-pipeline authenticated via long-term IAM access key

AWS CloudTrail · ConsoleLogin

Key age: 287 days (policy violation — max 90 days) | MFA: not required for this key

Long-lived key with no MFA is the likely initial compromise vector. Key rotation not enforced.

12:42:04 UTCMediumCommand and Control

EC2 instance i-0a4f9b2c3d1e8f7g6 made outbound connection to known C2

VPC Flow Logs · GuardDuty finding

Destination: 185.220.101.47:443 | Duration: 8m 14s | Bytes out: 2.4GB

12:43:17 UTCMediumExecution

Unusual Lambda invocation — data-export-fn triggered 847 times

AWS CloudWatch · Lambda Insights

Normal invocation rate: 12/hr | Observed: 847 in 4 minutes | Memory spike: 1.8GB

12:44:29 UTCCriticalPrivilege Escalation

svc-etl-pipeline assumed AdministratorAccess role via IAM role chaining

AWS CloudTrail · AssumeRole

Source role: arn:aws:iam::441029384712:role/DataPipeline-Exec → Target: AdministratorAccess

This is the pivot point. Service account should not have AssumeRole permission on AdministratorAccess.

12:45:58 UTCMediumDefense Evasion

CloudTrail logging temporarily disabled in eu-west-1

AWS CloudTrail · StopLogging API call

Duration: 47 seconds | Caller: svc-etl-pipeline | Region: eu-west-1

Classic anti-forensics technique. Logging re-enabled after bulk download completed.

12:46:12 UTCHighDefense Evasion

S3 bucket policy modified — public access re-enabled

AWS Config · s3-bucket-public-access-prohibited

Modified by: svc-etl-pipeline | Change: BlockPublicAcls=false, IgnorePublicAcls=false

Policy modification occurred 96 seconds before bulk download began — consistent with pre-staging behavior.

12:47:41 UTCHighInitial Access

IAM credential used from new geolocation — Amsterdam, NL

AWS GuardDuty · CredentialAccess:IAMUser/AnomalousBehavior

Normal usage location: Virginia, US. Deviation score: 98.2

12:48:03 UTCCriticalExfiltration

Anomalous S3 GetObject volume — 14,280 objects in 90s

AWS CloudTrail · s3.amazonaws.com

Principal: arn:aws:iam::441029384712:user/svc-etl-pipeline | IP: 185.220.101.47 | Bucket: prod-customer-data-eu

IP 185.220.101.47 matches 3 threat intelligence feeds. Geolocated to TOR exit node in NL.

AI Analyst

AISOC Intelligence Engine v3.1

91% confidence

Attack Confidence

High confidence — 5 corroborating signals across CloudTrail, GuardDuty, VPC Flow, Macie

Initial Access: Attacker obtained long-lived IAM access key for svc-etl-pipeline — likely via credential exposure in a public repository or phishing. Key was 287 days old with no MFA enforcement.

Privilege Escalation: Exploited misconfigured DataPipeline-Exec IAM role with wildcard sts:AssumeRole trust policy to elevate to AdministratorAccess.

Defense Evasion: Disabled CloudTrail logging for 47 seconds to suppress audit trail. Modified S3 bucket ACL to remove public access blocks.

Exfiltration: Bulk downloaded 14,280 S3 objects (2.4 GB) to TOR exit node 185.220.101.47 via Lambda function with modified code. PII confirmed by Macie.

⚠ GDPR breach notification required — PII exfiltrated. Notify DPO immediately. 72h regulatory deadline: 2026-06-01 12:48 UTC.

Recommended Action

Remove wildcard AssumeRole from DataPipeline-Exec immediately

This is the root cause enabling privilege escalation. Until fixed, any compromised service account in this account can gain AdministratorAccess.

Similar Past Incidents

IAM Role Chaining — prod-aws-us-east-1

INC-4188 · 12 days ago

S3 Exfiltration via Lambda

INC-3971 · 31 days ago

Long-lived key compromise — GCP

INC-3842 · 47 days ago

Related Vulnerabilities

CVE-2024-287528.1

IAM role trust policy wildcard

DataPipeline-Exec

CVE-2024-214137.4

Long-lived access key no rotation

svc-etl-pipeline

CVE-2023-444879.1

S3 bucket public access misconfigured

prod-customer-data-eu

Patched

SLA Status

Time to Acknowledge4m 12s ✓

Time to Contain37m (open)

Resolution SLA4h remaining

GDPR 72h deadline71h 23m left