Anomalous S3 bucket activity from user ARN

cloudtrail

Classification:

attack

Tactic:

TA0009-collection

Technique:

T1530-data-from-cloud-storage

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an AWS user performs S3 bucket write activities they do not usually perform.

Strategy

Monitor cloudtrail logs for S3 Data Plane events (@eventCategory:Data) to detect when an AWS User (@userIdentity.arn) is detected performing anomalous S3 Write (@evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*)) API calls.

Triage and response

  1. Determine if user: {{@userIdentity.arn}} should be performing the: {{@evt.name}} API calls.
    • Use the Cloud SIEM - User Investigation dashboard to assess user activity.
  2. If not, investigate the user: {{@userIdentity.arn}} for indicators of account compromise and rotate credentials as necessary.

Changelog

27 October 2022 - Updated tags.