Try in Splunk Security Cloud


Use the searches in this Analytic Story using Cloudtrail logs to to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP, permission and policy updates to the bucket, potential misuse of other services leading to data being leaked.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2023-04-24
  • Author: Bhavin Patel, Splunk
  • ID: 66732346-8fb0-407b-9633-da16756567d6


One of the most common ways that attackers attempt to steal data from S3 is by gaining unauthorized access to S3 buckets and copying or exfiltrating data to external locations. However, suspicious S3 activities can refer to any unusual behavior detected within an Amazon Web Services (AWS) Simple Storage Service (S3) bucket, including unauthorized access, unusual data transfer patterns, and access attempts from unknown IP addresses. It is important for organizations to regularly monitor S3 activities for suspicious behavior and implement security best practices, such as using access controls, encryption, and strong authentication mechanisms, to protect sensitive data stored within S3 buckets. By staying vigilant and taking proactive measures, organizations can help prevent potential security breaches and minimize the impact of attacks if they do occur.


Name Technique Type
AWS Disable Bucket Versioning Inhibit System Recovery Anomaly
AWS Exfiltration via Bucket Replication Transfer Data to Cloud Account TTP
AWS Exfiltration via DataSync Task Automated Collection TTP
Detect New Open S3 Buckets over AWS CLI Data from Cloud Storage TTP
Detect New Open S3 buckets Data from Cloud Storage TTP
Detect S3 access from a new IP Data from Cloud Storage Anomaly
Detect Spike in S3 Bucket deletion Data from Cloud Storage Anomaly


source | version: 3