Analytics Story: Suspicious AWS S3 Activities
Description
Use the searches in this Analytic Story using Cloudtrail logs to to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP, permission and policy updates to the bucket, potential misuse of other services leading to data being leaked.
Why it matters
One of the most common ways that attackers attempt to steal data from S3 is by gaining unauthorized access to S3 buckets and copying or exfiltrating data to external locations. However, suspicious S3 activities can refer to any unusual behavior detected within an Amazon Web Services (AWS) Simple Storage Service (S3) bucket, including unauthorized access, unusual data transfer patterns, and access attempts from unknown IP addresses. It is important for organizations to regularly monitor S3 activities for suspicious behavior and implement security best practices, such as using access controls, encryption, and strong authentication mechanisms, to protect sensitive data stored within S3 buckets. By staying vigilant and taking proactive measures, organizations can help prevent potential security breaches and minimize the impact of attacks if they do occur.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| AWS CloudTrail |  AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail CreateTask | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail PutBucketReplication | AWS |
aws:cloudtrail |
aws_cloudtrail |
| AWS CloudTrail PutBucketVersioning | AWS |
aws:cloudtrail |
aws_cloudtrail |
References
- https://github.com/nagwww/s3-leaks
- https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/
Source: GitHub | Version: 3