Varonis Threat Labs discovered a flaw in CloudTrail Network Activity events that could expose the AWS Account ID of any known S3 bucket when an attacker uses a VPC endpoint policy that denies cross-account requests. AWS has implemented a redaction fix after responsible disclosure. #CloudTrail #S3
Keypoints
- Varonis found a simple method to retrieve the AWS Account ID for any S3 bucket by leveraging CloudTrail Network Activity events combined with a VPC endpoint policy that denies cross-account access.
- The technique requires the attacker to deploy a VPC endpoint with a deny-all-external-buckets policy, enable Network Activity events in a CloudTrail trail, then make a single API request to the target bucket from inside the VPC.
- The attack produces a network activity event in the attacker’s account that contained the target bucket owner account ID while leaving no logs or traces in the target account.
- The issue arose because VpceAccessDenied network activity events did not redact the target account ID, unlike other denied-access event types that are overwritten with “HIDDEN_DUE_TO_SECURITY_REASONS.”
- AWS implemented a defense-in-depth enhancement (redaction of owner account ID in this scenario) on June 20, 2025, after Varonis disclosed the issue via the AWS Vulnerability Disclosure Program.
- The technique does not enumerate buckets — it only reveals the account ID when the attacker already knows the bucket name.
- Mitigations include redacting identifiers from logs, encrypting logs, avoiding embedding account IDs in resource names, and using private connectivity controls such as properly configured VPC endpoints.
MITRE Techniques
- [T1110] Brute Force – Attackers could use revealed account IDs to aid in brute-forcing or validating IAM usernames by observing differences in AWS error messages (“…it can still aid attackers in identifying vulnerable misconfigurations, escalating privileges, brute-forcing IAM usernames, and validating their existence based on differences in AWS error messages…”).
- [T1583] Acquire Infrastructure – Cloud Services – The abuse uses attacker-controlled AWS infrastructure (VPC endpoint, CloudTrail trail) to query S3 and capture network activity events that leak target account IDs (“…configuring the attacker’s AWS environment and making a single API call…Deploy a VPC endpoint…Set a CloudTrail trail…Initiate an API request…”).
- [T1592] Gather Victim Identity Information – Cloud Instance Metadata – The technique extracts the owner account ID of S3 buckets from CloudTrail Network Activity events, revealing account identity information (“…a network activity event is created and recorded in the attacker’s network activity trail, and the account ID of the S3 bucket is exposed.”).
Indicators of Compromise
- [Account ID] exposed in CloudTrail Network Activity events – example: a target account ID appearing in the ‘Resources’ object of network activity events (now redacted after patch).
- [Event Type / Error] network activity error strings showing VPC endpoint denial – example: “VpceAccessDenied” seen in the attacker’s CloudTrail network activity event.
- [Resource Name] S3 bucket names required for the technique – context: the attack only works if the attacker already knows the target bucket name (example: s3://target-bucket).
Read more: https://www.varonis.com/blog/exploiting-vpc-endpoints-for-s3buckets