Set up the cloudtrail integration.
Detect when an EC2 instance makes an API call to AWS to list all of the S3 Buckets.
This rule lets you monitor CloudTrail to detect a ListBuckets API call with the session name prefixed with i-
. A session name prefixed with i-
typically indicates that it is an EC2 instance using an Instance Profile to communicate with other AWS services, which is a common attacker technique to see the full list of S3 buckets in your AWS account.
Determine if the EC2 instance should be making this API call.
ListBuckets
API call, consider whether this API call is really needed.このページ