Suspicious AWS S3 Activities
Description
Use the searches in this Analytic Story to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2018-07-24
- Author: Bhavin Patel, Splunk
- ID: 66732346-8fb0-407b-9633-da16756567d6
Narrative
As cloud computing has exploded, so has the number of creative attacks on virtual environments. And as the number-two cloud-service provider, Amazon Web Services (AWS) has certainly had its share.
Amazon’s “shared responsibility” model dictates that the company has responsibility for the environment outside of the VM and the customer is responsible for the security inside of the S3 container. As such, it’s important to stay vigilant for activities that may belie suspicious behavior inside of your environment.
Among things to look out for are S3 access from unfamiliar locations and by unfamiliar users. Some of the searches in this Analytic Story help you detect suspicious behavior and others help you investigate more deeply, when the situation warrants.
Detections
Reference
- https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf
- https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/
source | version: 2