< Back to rules search
AWS S3 Bucket policy modified
Set up the cloudtrail integration.
Detect when a S3 Bucket policy is modified.
Monitor CloudTrail and detect when S3 policies are being modified via one of the following API calls:
Triage & Response
- Determine who the user was who made this API call.
- Contact the user and see if this was an API call which was made by the user.
- If the API call was not made by the user:
- Rotate the user credentials and investigate what other API calls.
- Determine what other API calls the user made which were not made by the user.