Anomalous number of S3 buckets accessed
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when an AWS assumed role accesses S3 buckets that they do not usually access.
Strategy
Monitor cloudtrail logs to identify when a @userIdentity.assumed_role
makes an anomalous amount of GetObject
calls to a unique number of S3 buckets (@requestParameters.bucketName
).
Triage and response
Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.
- Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}
Changelog
- 30 March 2022 - Updated query and signal message.
- 17 October 2022 - Updated tags.
- 11 January 2023 - Updated severity.