Suspicious AWS S3 Activities

Try in Splunk Security Cloud

Description

Use the searches in this Analytic Story to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.

• Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• Last Updated: 2018-07-24
• Author: Bhavin Patel, Splunk
• ID: 66732346-8fb0-407b-9633-da16756567d6

Narrative

As cloud computing has exploded, so has the number of creative attacks on virtual environments. And as the number-two cloud-service provider, Amazon Web Services (AWS) has certainly had its share.
Amazon’s “shared responsibility” model dictates that the company has responsibility for the environment outside of the VM and the customer is responsible for the security inside of the S3 container. As such, it’s important to stay vigilant for activities that may belie suspicious behavior inside of your environment.
Among things to look out for are S3 access from unfamiliar locations and by unfamiliar users. Some of the searches in this Analytic Story help you detect suspicious behavior and others help you investigate more deeply, when the situation warrants.

Detections

Name	Technique	Type
Detect New Open S3 buckets	Data from Cloud Storage Object	TTP
Detect New Open S3 Buckets over AWS CLI	Data from Cloud Storage Object	TTP
Detect S3 access from a new IP	Data from Cloud Storage Object	Anomaly
Detect Spike in S3 Bucket deletion	Data from Cloud Storage Object	Anomaly

Reference

• https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf
• https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/

source | version: 2