AWS Suspect Public S3 Change

View all detections
AWS Suspect Public S3 Change


  • A credential was observed suspiciously invoking a set of S3 APIs that permits public access to a given bucket.

Possible Root Causes

  • An attacker may be scanning and maliciously modifying configurations around an S3 bucket to enable data exfiltration.
  • An IT misconfiguration may have been made by an authorized user which could weaken the posture around an S3 bucket and promote the risk of data loss. • An internal tool is scanning the buckets for security reasons.

Business Impact

  • Malicious or unintentional weakening of security posture controls around S3 buckets are commonly associated with data loss.

Steps to Verify

  • Investigate the account context that made the change for other signs of malicious activity.
  • Investigate for data loss.
  • Verify if the S3 bucket in question is authorized for public access.
  • If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.