Anomalous number of S3 buckets accessed
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when an AWS assumed role accesses S3 buckets that they do not usually access.
Strategy
Monitor cloudtrail logs to identify when a @userIdentity.assumed_role makes an anomalous amount of GetObject calls to a unique number of S3 buckets (@requestParameters.bucketName).
Triage and response
Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.
- Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}
Changelog
- 30 March 2022 - Updated query and signal message.
- 17 October 2022 - Updated tags.
- 11 January 2023 - Updated severity.
