Try in Splunk Security Cloud


Use the searches in this Analytic Story to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2018-07-24
  • Author: Bhavin Patel, Splunk
  • ID: 66732346-8fb0-407b-9633-da16756567d6


As cloud computing has exploded, so has the number of creative attacks on virtual environments. And as the number-two cloud-service provider, Amazon Web Services (AWS) has certainly had its share.
Amazon’s “shared responsibility” model dictates that the company has responsibility for the environment outside of the VM and the customer is responsible for the security inside of the S3 container. As such, it’s important to stay vigilant for activities that may belie suspicious behavior inside of your environment.
Among things to look out for are S3 access from unfamiliar locations and by unfamiliar users. Some of the searches in this Analytic Story help you detect suspicious behavior and others help you investigate more deeply, when the situation warrants.


Name Technique Type
Detect New Open S3 Buckets over AWS CLI Data from Cloud Storage TTP
Detect New Open S3 buckets Data from Cloud Storage TTP
Detect S3 access from a new IP Data from Cloud Storage Anomaly
Detect Spike in S3 Bucket deletion Data from Cloud Storage Anomaly


source | version: 2