AWS Suspect Public S3 Change
Detection overview
Triggers
- A credential was observed suspiciously invoking a set of S3 APIs that permits public access to a given bucket.
Possible Root Causes
- An attacker may be scanning and maliciously modifying configurations around an S3 bucket to enable data exfiltration.
- An IT misconfiguration may have been made by an authorized user which could weaken the posture around an S3 bucket and promote the risk of data loss. • An internal tool is scanning the buckets for security reasons.
Business Impact
- Malicious or unintentional weakening of security posture controls around S3 buckets are commonly associated with data loss.
Steps to Verify
- Investigate the account context that made the change for other signs of malicious activity.
- Investigate for data loss.
- Verify if the S3 bucket in question is authorized for public access.
- If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspect Public S3 Change
Possible root causes
Malicious Detection
Benign Detection
AWS Suspect Public S3 Change
Example scenarios
AWS Suspect Public S3 Change
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
AWS Suspect Public S3 Change
Steps to investigate
AWS Suspect Public S3 Change
MITRE ATT&CK techniques covered
AWS Suspect Public S3 Change
Related detections
No items found.