AWS S3 Bucket Policy Modified
Security Monitoring is now available Security Monitoring is now available
<  Back to rules search

AWS S3 Bucket Policy Modified

cloudtrail

Classification:

compliance

Framework:

cis

Control:

cis-3.8

Set up the cloudtrail integration.

Overview

Goal

Detect when a S3 Bucket policy is modified.

Strategy

Monitor CloudTrail and detect when S3 policies are being modified via one of the following API calls: * PutBucketAcl * PutBucketPolicy * PutBucketCors * PutBucketLifecycle * PutBucketReplication * DeleteBucketPolicy * DeleteBucketCors * DeleteBucketLifecycle * DeleteBucketReplication

Triage & Response

  1. Determine who the user was who made this API call.
  2. Contact the user and see if this was an API call which was made by the user.
  3. If the API call was not made by the user:
    • Rotate the user credentials and investigate what other API calls.
    • Determine what other API calls the user made which were not made by the user.