Anomalous number of S3 buckets accessed

cloudtrail

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1619-cloud-storage-object-discovery

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an AWS assumed role accesses S3 buckets that they do not usually access.

Strategy

Monitor cloudtrail logs to identify when a @userIdentity.assumed_role makes an anomalous amount of GetObject calls to a unique number of S3 buckets (@requestParameters.bucketName).

Triage and response

Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.

  • Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}

Changelog

  • 30 March 2022 - Updated query and signal message.
  • 17 October 2022 - Updated tags.
  • 11 January 2023 - Updated severity.