Anomalous number of S3 buckets accessed

Docs > Plateforme de sécurité Datadog > OOTB Rules > Anomalous number of S3 buckets accessed

Classification:

attack

Tactic:

Technique:

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an AWS assumed role accesses S3 buckets that they do not usually access.

Strategy

Monitor cloudtrail logs to identify when a @userIdentity.assumed_role makes an anomalous amount of GetObject calls to a unique number of S3 buckets (@requestParameters.bucketName).

Triage and response

Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.

Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}

Changelog

30 March 2022 - Updated query and signal message.
17 October 2022 - Updated tags.
11 January 2023 - Updated severity.