---
title: An EC2 instance attempted to enumerate S3 bucket
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > An EC2 instance attempted to enumerate
  S3 bucket
---

# An EC2 instance attempted to enumerate S3 bucket
Classification:attackTactic:[TA0007-discovery](https://attack.mitre.org/tactics/TA0007)Technique:[T1526-cloud-service-discovery](https://attack.mitre.org/techniques/T1526) 
## Goal{% #goal %}

Detect when an EC2 instance makes an API call to AWS to list all of the S3 Buckets.

## Strategy{% #strategy %}

This rule lets you monitor CloudTrail to detect a [ListBuckets](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html) API call with the session name prefixed with `i-`. A session name prefixed with `i-` typically indicates that it is an EC2 instance using an [Instance Profile](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile) to communicate with other AWS services, which is a common attacker technique to see the full list of S3 buckets in your AWS account.

## Triage and response{% #triage-and-response %}

Determine if the EC2 instance should be making this API call.

- If **not a legitimate** user/application, rotate the credentials, verify what else may have been accessed and open an investigation into how this instance was compromised.
- If a **legitimate** user/application on the EC2 instance is making the `ListBuckets` API call, consider whether this API call is really needed.

## Changelog{% #changelog %}

18 March 2022 - Updated rule severity and rule name.