An EC2 instance attempted to enumerate S3 bucket

cloudtrail

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1083-file-and-directory-discovery

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an EC2 instance makes an API call to AWS to list all of the S3 Buckets.

Strategy

This rule lets you monitor CloudTrail to detect a ListBuckets API call with the session name prefixed with i-. A session name prefixed with i- typically indicates that it is an EC2 instance using an Instance Profile to communicate with other AWS services, which is a common attacker technique to see the full list of S3 buckets in your AWS account.

Triage and response

Determine if the EC2 instance should be making this API call.

  • If not a legitimate user/application, rotate the credentials, verify what else may have been accessed and open an investigation into how this instance was compromised.
  • If a legitimate user/application on the EC2 instance is making the ListBuckets API call, consider whether this API call is really needed.

Changelog

18 March 2022 - Updated rule severity and rule name.