Anomalous number of S3 buckets accessed

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an AWS assumed role accesses S3 buckets that they do not usually access.

Strategy

Monitor cloudtrail logs to identify when a @userIdentity.assumed_role makes an anomalous amount of GetObject calls to a unique number of S3 buckets (@requestParameters.bucketName).

Triage and response

Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.

  • Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}

Changelog

  • 30 March 2022 - Updated query and signal message.
  • 17 October 2022 - Updated tags.
  • 11 January 2023 - Updated severity.