Anomalous S3 bucket activity from user ARN


Detect when an AWS user performs S3 bucket write activities they do not usually perform.


Monitor cloudtrail logs for S3 Data Plane events (@eventCategory:Data) to detect when an AWS User (@userIdentity.arn) is detected performing anomalous S3 Write (* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*)) API calls.

Triage and response

  1. Determine if user: {{@userIdentity.arn}} should be performing the: {{}} API calls.
    • Use the Cloud SIEM - User Investigation dashboard to assess user activity.
  2. If not, investigate the user: {{@userIdentity.arn}} for indicators of account compromise and rotate credentials as necessary.


27 October 2022 - Updated tags.