Abusing the Replicator: Silently Exfiltrating Data with the AWS S3 Replication Service

But how would you distinguish between legitimate backup activity and malicious data exfiltration on AWS S3?

In this blog post, I walkthrough a malicious use of the S3 Replication service and how selective data event logging on the S3 service will result in a gap in S3 exfiltration visibility since the PutObject event, indicating data movement event will not be written in the Source Account.