AWS S3 Credential File Retrieved from Bucket

  1[metadata]
  2creation_date = "2026/05/27"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/05/27"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects successful S3 GetObject calls targeting high-value credential and secret files commonly
 11stored in S3 buckets: AWS credentials files (".aws/credentials", ".aws/config"), SSH private keys
 12("id_rsa", "id_ed25519", "id_ecdsa", "id_dsa"), environment files (".env"), PEM and PuTTY key files,
 13and other private key patterns. These file types are high-yield targets for credential harvesting
 14from S3. The rule excludes AWSService identity type to suppress S3 replication, Glacier restore,
 15and other AWS-internal data movement that legitimately reads these files.
 16"""
 17false_positives = [
 18    """
 19    Legitimate CI/CD pipelines, infrastructure tooling, or configuration management systems may retrieve
 20    secret files from S3 as part of their normal operation. Validate the calling identity, user agent,
 21    and source IP against known automation accounts and expected access patterns.
 22    """,
 23]
 24from = "now-6m"
 25index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS S3 Credential File Retrieved from Bucket"
 29note = """## Triage and analysis
 30
 31### Investigating AWS S3 Credential File Retrieved from Bucket
 32
 33S3 is frequently used to store configuration files, scripts, and secrets. When files with credential-like
 34names are accessed, it warrants investigation to ensure that the retrieval was authorized.
 35
 36### Possible investigation steps
 37
 38- **Identify the accessed file**: Review `aws.cloudtrail.request_parameters` for the bucket name and key.
 39  Determine whether the bucket is intended to store secrets.
 40- **Verify the caller**: Inspect `aws.cloudtrail.user_identity.arn` and `source.ip`. If the caller is not
 41  an approved automation role, escalate immediately.
 42- **Check bucket permissions**: Determine if the bucket is publicly accessible or if the key naming
 43  pattern was intentionally exposed.
 44- **Look for downstream actions**: Search for subsequent IAM, STS, or console actions from the same
 45  identity shortly after the object retrieval, which may indicate successful credential use.
 46
 47### False positive analysis
 48
 49- Legitimate backup or restore processes may access credential files stored in S3 as part of their
 50  workflow. Validate the calling identity and user agent against known automation accounts.
 51- CI/CD pipelines that retrieve secrets from S3 during deployment may trigger this rule. Verify the
 52  source IP and ARN match expected automation infrastructure.
 53
 54### Response and remediation
 55
 56- Immediately disable the access key identified in `aws.cloudtrail.user_identity.access_key_id` if
 57  the retrieval is determined to be unauthorized.
 58- Audit the S3 bucket for overly permissive policies or public access configurations.
 59- Rotate any credentials stored in the accessed object — treat them as compromised.
 60- Review all CloudTrail events from the same identity in the preceding 30 minutes for signs of
 61  lateral movement, IAM changes, or resource creation.
 62- Implement S3 bucket policies or IAM conditions restricting access to credential files to only
 63  authorized identities and source IPs.
 64"""
 65references = [
 66    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html",
 67]
 68risk_score = 47
 69rule_id = "2f0ee9fe-4529-4b9e-9f78-6c81ef33c6ba"
 70severity = "medium"
 71setup = """S3 data event logging is required for this rule. This rule detects S3 GetObject events,
 72which are data plane events not logged by default. To enable: CloudTrail console → Trails →
 73[trail name] → Data events → Add S3 → select the buckets to monitor (or all buckets with a wildcard).
 74Without this configuration, the rule produces no alerts.
 75
 76Refer to the AWS documentation on
 77https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html[logging data events]
 78for detailed steps.
 79"""
 80tags = [
 81    "Domain: Cloud",
 82    "Data Source: AWS",
 83    "Data Source: Amazon Web Services",
 84    "Data Source: AWS S3",
 85    "Use Case: Identity and Access Audit",
 86    "Tactic: Credential Access",
 87    "Resources: Investigation Guide",
 88]
 89timestamp_override = "event.ingested"
 90type = "query"
 91
 92query = '''
 93data_stream.dataset: "aws.cloudtrail" and
 94    event.provider: "s3.amazonaws.com" and
 95    event.action: "GetObject" and
 96    event.outcome: "success" and
 97    aws.cloudtrail.flattened.request_parameters.key: (
 98        */.aws/credentials or
 99        */.aws/config or
100        */id_rsa or
101        */id_ed25519 or
102        */id_ecdsa or
103        */id_dsa or
104        */.env or
105        */.env.* or
106        *.ppk or
107        *.pem or
108        *.key or
109        *private_key* or
110        */.ssh/authorized_keys
111    ) and
112    not aws.cloudtrail.user_identity.type: "AWSService"
113'''
114
115[[rule.threat]]
116framework = "MITRE ATT&CK"
117
118[[rule.threat.technique]]
119id = "T1552"
120name = "Unsecured Credentials"
121reference = "https://attack.mitre.org/techniques/T1552/"
122
123[[rule.threat.technique.subtechnique]]
124id = "T1552.001"
125name = "Credentials In Files"
126reference = "https://attack.mitre.org/techniques/T1552/001/"
127
128[rule.threat.tactic]
129id = "TA0006"
130name = "Credential Access"
131reference = "https://attack.mitre.org/tactics/TA0006/"
132
133[[rule.threat]]
134framework = "MITRE ATT&CK"
135
136[[rule.threat.technique]]
137id = "T1530"
138name = "Data from Cloud Storage"
139reference = "https://attack.mitre.org/techniques/T1530/"
140
141[rule.threat.tactic]
142id = "TA0009"
143name = "Collection"
144reference = "https://attack.mitre.org/tactics/TA0009/"
145
146[rule.alert_suppression]
147group_by = ["source.ip", "cloud.account.id"]
148duration = {value = 5, unit = "m"}
149missing_fields_strategy = "suppress"
150
151[rule.investigation_fields]
152field_names = [
153    "@timestamp",
154    "user.name",
155    "user_agent.original",
156    "source.ip",
157    "source.as.number",
158    "aws.cloudtrail.user_identity.arn",
159    "aws.cloudtrail.user_identity.type",
160    "aws.cloudtrail.user_identity.access_key_id",
161    "event.action",
162    "event.provider",
163    "event.outcome",
164    "cloud.account.id",
165    "cloud.region",
166    "aws.cloudtrail.request_parameters",
167]