Anomalous number of S3 buckets accessed

Goal

Detect when an AWS assumed role accesses S3 buckets that they do not usually access.

Strategy

Monitor cloudtrail logs to identify when a @userIdentity.assumed_role makes an anomalous amount of GetObject calls to a unique number of S3 buckets (@requestParameters.bucketName).

Triage and response

Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.

  • Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}

Changelog

  • 30 March 2022 - Updated query and signal message.
  • 17 October 2022 - Updated tags.
  • 11 January 2023 - Updated severity.