AWS S3 Unauthenticated Bucket Access by Rare Source

  1[metadata]
  2creation_date = "2024/12/17"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/09/08"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies AWS CloudTrail events where an unauthenticated source is attempting to access an S3 bucket. This activity may
 11indicate a misconfigured S3 bucket policy that allows public access to the bucket, potentially exposing sensitive data
 12to unauthorized users. Adversaries can specify --no-sign-request in the AWS CLI to retrieve objects from an S3 bucket
 13without authentication. This is a New Terms rule, which means it will trigger for each unique combination of the source.address and targeted bucket name that has not been seen making this API request.
 14"""
 15from = "now-6m"
 16index = ["filebeat-*", "logs-aws.cloudtrail*"]
 17language = "kuery"
 18license = "Elastic License v2"
 19name = "AWS S3 Unauthenticated Bucket Access by Rare Source"
 20note = """## Triage and analysis
 21
 22> **Disclaimer**:
 23> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 24
 25### Investigating AWS S3 Unauthenticated Bucket Access by Rare Source
 26
 27This rule detects requests to an AWS S3 bucket by an unauthenticated source, which could indicate a misconfigured bucket policy allowing public access. Adversaries can exploit this misconfiguration by using tools or AWS CLI options like `--no-sign-request` to access bucket contents.
 28
 29The rule triggers when an unauthenticated IP address retrieves an object, and that IP has not been seen in the last 7 days.
 30
 31### Possible Investigation Steps
 32
 331. **Identify the Source of the Request**:
 34    - Review the `source.address` field to determine the IP address of the request source.
 35    - Check `source.geo` fields for geographic details of the originating IP address.
 36    - Analyze the `user_agent.original` field to identify the client or tool used (e.g., `Python Requests`, `aws-cli`, browser).
 37
 382. **Review the Accessed Bucket and Object**:
 39    - Analyze the `aws.cloudtrail.resources.arn` field to identify the S3 bucket and object being accessed.
 40    - Inspect `aws.cloudtrail.request_parameters` for bucket name and object key to determine which file was retrieved.
 41    - Review the `even.action` field to identify which API call was made (e.g., `GetObject`, `ListObjects`, `PutObject`, `ListBucket`).
 42
 433. **Validate the Source IP and Context**:
 44    - Determine if the IP address (`source.address`) has any prior activity in your environment.
 45    - Correlate the IP with threat intelligence or blocklist databases to check for malicious indicators.
 46    - Review CloudTrail logs for other activities originating from the same IP.
 47
 484. **Analyze the S3 Bucket Configuration**:
 49    - Review the S3 bucket's Access Control List (ACL) and bucket policy to check for misconfigurations allowing public or unauthenticated access.
 50    - Look for overly permissive settings, such as `Principal: *` or `Effect: Allow` rules that expose the bucket.
 51
 525. **Investigate Additional Activity**:
 53    - Check if there are subsequent actions, such as:
 54        - **Additional `GetObject` API calls**: Indicating further data exfiltration.
 55        - **ListObjects requests**: Attempting to enumerate the bucket's contents.
 56    - Correlate events within the same timeframe to identify related suspicious activity.
 57
 586. **Assess the Data Exposed**:
 59    - Identify the retrieved object(s) and analyze their content to assess potential data exposure.
 60    - Determine if the file contains sensitive information, such as credentials, intellectual property, or PII.
 61
 62### False Positive Analysis
 63
 64- **Public Buckets by Design**: Some S3 buckets may intentionally allow public access. Verify with the bucket owner if the access was expected.
 65- **Automated Tools**: Security scanners or legitimate services may generate `GetObject` events to validate bucket configurations.
 66
 67### Response and Remediation
 68
 691. **Immediate Action**:
 70    - Restrict or remove public access to the affected S3 bucket.
 71    - Update the bucket policy to ensure access is restricted to trusted principals.
 72    - Enable **S3 Block Public Access** settings to prevent unintended public access.
 73
 742. **Monitoring and Detection**:
 75    - Enable detailed logging and monitoring for all S3 bucket activities.
 76    - Configure real-time alerts for unauthenticated `GetObject` or `ListObjects` events on sensitive S3 buckets.
 77
 783. **Security Audits**:
 79    - Regularly audit S3 bucket policies and ACLs to ensure they adhere to AWS security best practices.
 80    - Use AWS tools like **Trusted Advisor** or **Access Analyzer** to identify and address misconfigurations.
 81
 824. **Investigate for Data Exfiltration**:
 83    - Analyze historical CloudTrail logs to determine if other sensitive files were accessed or exfiltrated.
 84    - Assess the scope of the exposure and initiate further response if sensitive data was compromised.
 85
 86### Additional Resources
 87
 88- [AWS Documentation: S3 Bucket Policy Best Practices](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html)
 89- [AWS S3 Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)
 90"""
 91references = [
 92    "https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/exploting_public_resources_attack_playbook/",
 93]
 94risk_score = 47
 95rule_id = "59bf26c2-bcbe-11ef-a215-f661ea17fbce"
 96setup = "S3 data events must be enabled in CloudTrail to capture the GetObject, PutObject, ListObjects, and DeleteObject actions. Ensure that the AWS CloudTrail service is configured to log data events for the S3 bucket you'd like to monitor."
 97severity = "medium"
 98tags = [
 99    "Domain: Cloud",
100    "Data Source: AWS",
101    "Data Source: Amazon Web Services",
102    "Data Source: Amazon S3",
103    "Use Case: Asset Visibility",
104    "Resources: Investigation Guide",
105    "Tactic: Collection",
106]
107timestamp_override = "event.ingested"
108type = "new_terms"
109
110query = '''
111event.dataset: "aws.cloudtrail"
112    and event.provider: "s3.amazonaws.com"
113    and event.action: (
114        "GetObject" or
115        "PutObject" or
116        "ListObjects" or
117        "DeleteObject" or
118        "ListBucket")
119    and event.outcome: "success"
120    and aws.cloudtrail.user_identity.type: ("AWSAccount" or "Unknown")
121    and cloud.account.id: "anonymous"
122'''
123
124
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127[[rule.threat.technique]]
128id = "T1530"
129name = "Data from Cloud Storage"
130reference = "https://attack.mitre.org/techniques/T1530/"
131
132
133[rule.threat.tactic]
134id = "TA0009"
135name = "Collection"
136reference = "https://attack.mitre.org/tactics/TA0009/"
137[[rule.threat]]
138framework = "MITRE ATT&CK"
139[[rule.threat.technique]]
140id = "T1619"
141name = "Cloud Storage Object Discovery"
142reference = "https://attack.mitre.org/techniques/T1619/"
143
144
145[rule.threat.tactic]
146id = "TA0007"
147name = "Discovery"
148reference = "https://attack.mitre.org/tactics/TA0007/"
149[[rule.threat]]
150framework = "MITRE ATT&CK"
151[[rule.threat.technique]]
152id = "T1485"
153name = "Data Destruction"
154reference = "https://attack.mitre.org/techniques/T1485/"
155
156
157[rule.threat.tactic]
158id = "TA0040"
159name = "Impact"
160reference = "https://attack.mitre.org/tactics/TA0040/"
161
162
163[rule.investigation_fields]
164field_names = [
165    "@timestamp",
166    "user_agent.original",
167    "source.ip",
168    "tls.client.server_name",
169    "aws.cloudtrail.resources.arn",    
170    "aws.cloudtrail.resources.type", 
171    "aws.cloudtrail.resources.account_id", 
172    "event.action",
173    "event.outcome",
174    "cloud.account.id",
175    "cloud.region",
176    "aws.cloudtrail.request_parameters",
177]
178
179[rule.new_terms]
180field = "new_terms_fields"
181value = ["source.address", "tls.client.server_name"]
182[[rule.new_terms.history_window_start]]
183field = "history_window_start"
184value = "now-7d"