AWS S3 Unauthenticated Bucket Access by Rare Source
Identifies AWS CloudTrail events where an unauthenticated source is attempting to access an S3 bucket. This activity may
indicate a misconfigured S3 bucket policy that allows public access to the bucket, potentially exposing sensitive data
to unauthorized users. Adversaries can specify --no-sign-request
in the AWS CLI to retrieve objects from an S3 bucket
without authentication. This is a New
Terms rule, which means it
will only trigger once for each unique value of the source.address
field that has not been seen making this API
request within the last 7 days. This field contains the IP address of the source making the request.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/12/17"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2025/01/22"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies AWS CloudTrail events where an unauthenticated source is attempting to access an S3 bucket. This activity may
11indicate a misconfigured S3 bucket policy that allows public access to the bucket, potentially exposing sensitive data
12to unauthorized users. Adversaries can specify `--no-sign-request` in the AWS CLI to retrieve objects from an S3 bucket
13without authentication. This is a [New
14Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule, which means it
15will only trigger once for each unique value of the `source.address` field that has not been seen making this API
16request within the last 7 days. This field contains the IP address of the source making the request.
17"""
18from = "now-9m"
19index = ["filebeat-*", "logs-aws.cloudtrail*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "AWS S3 Unauthenticated Bucket Access by Rare Source"
23note = """## Triage and analysis
24
25> **Disclaimer**:
26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
27
28### Investigating AWS S3 Unauthenticated Bucket Access by Rare Source
29
30Amazon S3 is a scalable storage service used for data storage and retrieval. Misconfigured bucket policies can inadvertently allow public access, posing a risk of unauthorized data exposure. Adversaries exploit this by using unauthenticated requests to access data. The detection rule identifies unusual access attempts from new IP addresses, signaling potential misuse and prompting further investigation.
31
32### Possible investigation steps
33
34- Review the CloudTrail logs to identify the specific S3 bucket involved in the unauthenticated access attempt and determine the nature of the accessed data.
35- Examine the source IP address from the `source.address` field to assess its origin and determine if it is associated with known malicious activity or if it is a legitimate but misconfigured source.
36- Check the S3 bucket policy and permissions to identify any misconfigurations that might allow public access, focusing on policies that include "Principal": "*".
37- Investigate the `aws.cloudtrail.user_identity.type` field to confirm if the access was made by an "AWSAccount" or "Unknown" identity, and determine if this aligns with expected behavior.
38- Assess the `event.action` field to understand the type of operation performed (e.g., "GetObject", "PutObject") and evaluate the potential impact of the access.
39- Review recent changes to the S3 bucket configuration or IAM policies that might have inadvertently allowed public access, and correlate these with the timing of the alert.
40- If unauthorized access is confirmed, take immediate steps to secure the bucket by updating the bucket policy to restrict access and consider enabling logging and monitoring for future access attempts.
41
42### False positive analysis
43
44- Frequent access from known internal IP addresses may trigger the rule. To manage this, create exceptions for IP addresses that are part of your organization's network and regularly access S3 buckets without authentication.
45- Automated scripts or tools used for legitimate business processes might use unauthenticated requests. Identify these scripts and exclude their IP addresses from triggering the rule by adding them to an allowlist.
46- Third-party services that require access to your S3 buckets might appear as unauthenticated sources. Verify these services and, if deemed safe, exclude their IP addresses from the rule to prevent false positives.
47- Temporary testing environments or development setups might use unauthenticated access for convenience. Ensure these environments are documented and their IP addresses are excluded from the rule to avoid unnecessary alerts.
48
49### Response and remediation
50
51- Immediately revoke public access to the affected S3 bucket by updating the bucket policy to restrict access to only authorized users and roles.
52- Identify and terminate any unauthorized sessions or connections from the IP addresses flagged in the alert to prevent further unauthorized access.
53- Conduct a thorough review of the S3 bucket's access logs to determine the extent of data exposure and identify any sensitive data that may have been accessed.
54- Notify the security team and relevant stakeholders about the potential data exposure incident and provide them with details of the affected resources and actions taken.
55- Implement additional monitoring and alerting for unusual access patterns to S3 buckets, focusing on unauthenticated access attempts and access from rare IP addresses.
56- Escalate the incident to the organization's incident response team for further investigation and to determine if additional containment or remediation actions are necessary.
57- Review and update the organization's cloud security policies and access controls to prevent similar misconfigurations in the future, ensuring that all S3 buckets have appropriate access restrictions.
58
59## Investigating AWS S3 Unauthenticated Bucket Access by Rare Source
60
61This rule detects requests to an AWS S3 bucket by an unauthenticated source, which could indicate a misconfigured bucket policy allowing public access. Adversaries can exploit this misconfiguration by using tools or AWS CLI options like `--no-sign-request` to access bucket contents.
62
63The rule triggers when an unauthenticated IP address retrieves an object, and that IP has not been seen in the last 7 days.
64
65### Possible Investigation Steps
66
671. **Identify the Source of the Request**:
68 - Review the `source.address` field to determine the IP address of the request source.
69 - Check `source.geo` fields for geographic details of the originating IP address.
70 - Analyze the `user_agent.original` field to identify the client or tool used (e.g., `Python Requests`, `aws-cli`, browser).
71
722. **Review the Accessed Bucket and Object**:
73 - Analyze the `aws.cloudtrail.resources.arn` field to identify the S3 bucket and object being accessed.
74 - Inspect `aws.cloudtrail.request_parameters` for bucket name and object key to determine which file was retrieved.
75 - Review the `even.action` field to identify which API call was made (e.g., `GetObject`, `ListObjects`, `PutObject`, `ListBucket`).
76
773. **Validate the Source IP and Context**:
78 - Determine if the IP address (`source.address`) has any prior activity in your environment.
79 - Correlate the IP with threat intelligence or blocklist databases to check for malicious indicators.
80 - Review CloudTrail logs for other activities originating from the same IP.
81
824. **Analyze the S3 Bucket Configuration**:
83 - Review the S3 bucket's Access Control List (ACL) and bucket policy to check for misconfigurations allowing public or unauthenticated access.
84 - Look for overly permissive settings, such as `Principal: *` or `Effect: Allow` rules that expose the bucket.
85
865. **Investigate Additional Activity**:
87 - Check if there are subsequent actions, such as:
88 - **Additional `GetObject` API calls**: Indicating further data exfiltration.
89 - **ListObjects requests**: Attempting to enumerate the bucket's contents.
90 - Correlate events within the same timeframe to identify related suspicious activity.
91
926. **Assess the Data Exposed**:
93 - Identify the retrieved object(s) and analyze their content to assess potential data exposure.
94 - Determine if the file contains sensitive information, such as credentials, intellectual property, or PII.
95
96### False Positive Analysis
97
98- **Public Buckets by Design**: Some S3 buckets may intentionally allow public access. Verify with the bucket owner if the access was expected.
99- **Automated Tools**: Security scanners or legitimate services may generate `GetObject` events to validate bucket configurations.
100
101### Response and Remediation
102
1031. **Immediate Action**:
104 - Restrict or remove public access to the affected S3 bucket.
105 - Update the bucket policy to ensure access is restricted to trusted principals.
106 - Enable **S3 Block Public Access** settings to prevent unintended public access.
107
1082. **Monitoring and Detection**:
109 - Enable detailed logging and monitoring for all S3 bucket activities.
110 - Configure real-time alerts for unauthenticated `GetObject` or `ListObjects` events on sensitive S3 buckets.
111
1123. **Security Audits**:
113 - Regularly audit S3 bucket policies and ACLs to ensure they adhere to AWS security best practices.
114 - Use AWS tools like **Trusted Advisor** or **Access Analyzer** to identify and address misconfigurations.
115
1164. **Investigate for Data Exfiltration**:
117 - Analyze historical CloudTrail logs to determine if other sensitive files were accessed or exfiltrated.
118 - Assess the scope of the exposure and initiate further response if sensitive data was compromised.
119
120### Additional Resources
121
122- [AWS Documentation: S3 Bucket Policy Best Practices](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html)
123- [AWS S3 Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)
124"""
125references = [
126 "https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/exploting_public_resources_attack_playbook/",
127]
128risk_score = 47
129rule_id = "59bf26c2-bcbe-11ef-a215-f661ea17fbce"
130severity = "medium"
131tags = [
132 "Domain: Cloud",
133 "Data Source: AWS",
134 "Data Source: Amazon Web Services",
135 "Data Source: Amazon S3",
136 "Use Case: Asset Visibility",
137 "Resources: Investigation Guide",
138 "Tactic: Collection",
139]
140timestamp_override = "event.ingested"
141type = "new_terms"
142
143query = '''
144event.dataset: "aws.cloudtrail"
145 and event.provider: "s3.amazonaws.com"
146 and event.action: (
147 "GetObject" or
148 "PutObject" or
149 "ListObjects" or
150 "DeleteObject" or
151 "ListBucket")
152 and event.outcome: "success"
153 and aws.cloudtrail.user_identity.type: ("AWSAccount" or "Unknown")
154 and cloud.account.id: "anonymous"
155'''
156
157
158[[rule.threat]]
159framework = "MITRE ATT&CK"
160[[rule.threat.technique]]
161id = "T1530"
162name = "Data from Cloud Storage"
163reference = "https://attack.mitre.org/techniques/T1530/"
164
165
166[rule.threat.tactic]
167id = "TA0009"
168name = "Collection"
169reference = "https://attack.mitre.org/tactics/TA0009/"
170[[rule.threat]]
171framework = "MITRE ATT&CK"
172[[rule.threat.technique]]
173id = "T1619"
174name = "Cloud Storage Object Discovery"
175reference = "https://attack.mitre.org/techniques/T1619/"
176
177
178[rule.threat.tactic]
179id = "TA0007"
180name = "Discovery"
181reference = "https://attack.mitre.org/tactics/TA0007/"
182[[rule.threat]]
183framework = "MITRE ATT&CK"
184[[rule.threat.technique]]
185id = "T1485"
186name = "Data Destruction"
187reference = "https://attack.mitre.org/techniques/T1485/"
188
189
190[rule.threat.tactic]
191id = "TA0040"
192name = "Impact"
193reference = "https://attack.mitre.org/tactics/TA0040/"
194
195[rule.investigation_fields]
196field_names = [
197 "@timestamp",
198 "cloud.account.id",
199 "aws.cloudtrail.user_identity.type",
200 "source.address",
201 "user_agent.original",
202 "aws.cloudtrail.resources.arn",
203 "event.action",
204 "event.outcome",
205 "cloud.region",
206 "aws.cloudtrail.request_parameters",
207]
208
209[rule.new_terms]
210field = "new_terms_fields"
211value = ["source.address"]
212[[rule.new_terms.history_window_start]]
213field = "history_window_start"
214value = "now-7d"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating AWS S3 Unauthenticated Bucket Access by Rare Source
Amazon S3 is a scalable storage service used for data storage and retrieval. Misconfigured bucket policies can inadvertently allow public access, posing a risk of unauthorized data exposure. Adversaries exploit this by using unauthenticated requests to access data. The detection rule identifies unusual access attempts from new IP addresses, signaling potential misuse and prompting further investigation.
Possible investigation steps
- Review the CloudTrail logs to identify the specific S3 bucket involved in the unauthenticated access attempt and determine the nature of the accessed data.
- Examine the source IP address from the
source.address
field to assess its origin and determine if it is associated with known malicious activity or if it is a legitimate but misconfigured source. - Check the S3 bucket policy and permissions to identify any misconfigurations that might allow public access, focusing on policies that include "Principal": "*".
- Investigate the
aws.cloudtrail.user_identity.type
field to confirm if the access was made by an "AWSAccount" or "Unknown" identity, and determine if this aligns with expected behavior. - Assess the
event.action
field to understand the type of operation performed (e.g., "GetObject", "PutObject") and evaluate the potential impact of the access. - Review recent changes to the S3 bucket configuration or IAM policies that might have inadvertently allowed public access, and correlate these with the timing of the alert.
- If unauthorized access is confirmed, take immediate steps to secure the bucket by updating the bucket policy to restrict access and consider enabling logging and monitoring for future access attempts.
False positive analysis
- Frequent access from known internal IP addresses may trigger the rule. To manage this, create exceptions for IP addresses that are part of your organization's network and regularly access S3 buckets without authentication.
- Automated scripts or tools used for legitimate business processes might use unauthenticated requests. Identify these scripts and exclude their IP addresses from triggering the rule by adding them to an allowlist.
- Third-party services that require access to your S3 buckets might appear as unauthenticated sources. Verify these services and, if deemed safe, exclude their IP addresses from the rule to prevent false positives.
- Temporary testing environments or development setups might use unauthenticated access for convenience. Ensure these environments are documented and their IP addresses are excluded from the rule to avoid unnecessary alerts.
Response and remediation
- Immediately revoke public access to the affected S3 bucket by updating the bucket policy to restrict access to only authorized users and roles.
- Identify and terminate any unauthorized sessions or connections from the IP addresses flagged in the alert to prevent further unauthorized access.
- Conduct a thorough review of the S3 bucket's access logs to determine the extent of data exposure and identify any sensitive data that may have been accessed.
- Notify the security team and relevant stakeholders about the potential data exposure incident and provide them with details of the affected resources and actions taken.
- Implement additional monitoring and alerting for unusual access patterns to S3 buckets, focusing on unauthenticated access attempts and access from rare IP addresses.
- Escalate the incident to the organization's incident response team for further investigation and to determine if additional containment or remediation actions are necessary.
- Review and update the organization's cloud security policies and access controls to prevent similar misconfigurations in the future, ensuring that all S3 buckets have appropriate access restrictions.
Investigating AWS S3 Unauthenticated Bucket Access by Rare Source
This rule detects requests to an AWS S3 bucket by an unauthenticated source, which could indicate a misconfigured bucket policy allowing public access. Adversaries can exploit this misconfiguration by using tools or AWS CLI options like --no-sign-request
to access bucket contents.
The rule triggers when an unauthenticated IP address retrieves an object, and that IP has not been seen in the last 7 days.
Possible Investigation Steps
-
Identify the Source of the Request:
- Review the
source.address
field to determine the IP address of the request source. - Check
source.geo
fields for geographic details of the originating IP address. - Analyze the
user_agent.original
field to identify the client or tool used (e.g.,Python Requests
,aws-cli
, browser).
- Review the
-
Review the Accessed Bucket and Object:
- Analyze the
aws.cloudtrail.resources.arn
field to identify the S3 bucket and object being accessed. - Inspect
aws.cloudtrail.request_parameters
for bucket name and object key to determine which file was retrieved. - Review the
even.action
field to identify which API call was made (e.g.,GetObject
,ListObjects
,PutObject
,ListBucket
).
- Analyze the
-
Validate the Source IP and Context:
- Determine if the IP address (
source.address
) has any prior activity in your environment. - Correlate the IP with threat intelligence or blocklist databases to check for malicious indicators.
- Review CloudTrail logs for other activities originating from the same IP.
- Determine if the IP address (
-
Analyze the S3 Bucket Configuration:
- Review the S3 bucket's Access Control List (ACL) and bucket policy to check for misconfigurations allowing public or unauthenticated access.
- Look for overly permissive settings, such as
Principal: *
orEffect: Allow
rules that expose the bucket.
-
Investigate Additional Activity:
- Check if there are subsequent actions, such as:
- Additional
GetObject
API calls: Indicating further data exfiltration. - ListObjects requests: Attempting to enumerate the bucket's contents.
- Additional
- Correlate events within the same timeframe to identify related suspicious activity.
- Check if there are subsequent actions, such as:
-
Assess the Data Exposed:
- Identify the retrieved object(s) and analyze their content to assess potential data exposure.
- Determine if the file contains sensitive information, such as credentials, intellectual property, or PII.
False Positive Analysis
- Public Buckets by Design: Some S3 buckets may intentionally allow public access. Verify with the bucket owner if the access was expected.
- Automated Tools: Security scanners or legitimate services may generate
GetObject
events to validate bucket configurations.
Response and Remediation
-
Immediate Action:
- Restrict or remove public access to the affected S3 bucket.
- Update the bucket policy to ensure access is restricted to trusted principals.
- Enable S3 Block Public Access settings to prevent unintended public access.
-
Monitoring and Detection:
- Enable detailed logging and monitoring for all S3 bucket activities.
- Configure real-time alerts for unauthenticated
GetObject
orListObjects
events on sensitive S3 buckets.
-
Security Audits:
- Regularly audit S3 bucket policies and ACLs to ensure they adhere to AWS security best practices.
- Use AWS tools like Trusted Advisor or Access Analyzer to identify and address misconfigurations.
-
Investigate for Data Exfiltration:
- Analyze historical CloudTrail logs to determine if other sensitive files were accessed or exfiltrated.
- Assess the scope of the exposure and initiate further response if sensitive data was compromised.
Additional Resources
References
Related rules
- AWS EC2 VM Export Failure
- AWS S3 Bucket Expiration Lifecycle Configuration Added
- AWS S3 Bucket Server Access Logging Disabled
- AWS CloudTrail Log Created
- AWS Deletion of RDS Instance or Cluster