Anomalous number of S3 buckets accessed

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detect when an AWS assumed role accesses S3 buckets that they do not usually access.

Strategy

Monitor cloudtrail logs to identify when a @userIdentity.assumed_role makes an anomalous amount of GetObject calls to a unique number of S3 buckets (@requestParameters.bucketName).

Triage and response

Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.

  • Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}

Changelog

  • 30 March 2022 - Updated query and signal message.
  • 17 October 2022 - Updated tags.
  • 11 January 2023 - Updated severity.