The Invisible Footprint: How Anonymous S3 Requests Evade AWS Logging

Keypoints

• VTL found a vulnerability where anonymous S3 requests did not appear in CloudTrail Network Activity events, regardless of bucket permissions.
• Anonymous requests from a VPC to buckets within the same account generated logs, while requests to external buckets generated no events in the source account.
• If the target account’s VPC endpoint policy allowed access, the target account logged management/data events; if denied, the request was blocked at the network layer and no events were created in either account.
• Attackers could exploit denied endpoint policies in a compromised account to interact with public buckets anonymously and evade detection by security teams.
• Missing anonymous logs enable stealthy data exfiltration or malware downloads via VPC endpoints with no forensic trail for incident responders.
• AWS and Varonis collaborated to change CloudTrail behavior so anonymous API requests to external S3 buckets via VPC endpoints are now logged as Network Activity events delivered to the VPC endpoint owner.
• Recommended mitigations include applying least-privilege VPC endpoint policies, auditing bucket policies, and enabling alerts on policy changes.