AWS S3 Buckets enumerated
Incident Management が一般に使用できるようになりました。 Incident Management が広範に使用できるようになりました。
<  Back to rules search

AWS S3 Buckets enumerated

cloudtrail

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1083-file-and-directory-discovery

Set up the cloudtrail integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Overview

Goal

Detect when an EC2 instance makes an API call to AWS to list all of the S3 Buckets.

Strategy

This rule lets you monitor CloudTrail to detect a ListBuckets API call with the session name prefixed with i-. A session name prefixed with i- typically indicates that it is an EC2 instance using an Instance Profile to communicate with other AWS services, which is a common attacker technique to see the full list of S3 buckets in your AWS account. Determine if the EC2 instance should be making this API call.

  • If not, rotate the credentials, verify what else may have been accessed and open an investigation into how this instance was compromised.
    • If the application or legitimate user on the EC2 instance is making the ListBuckets API call, consider whether this API call is really needed.

このページ