AWS IAM S3Browser Templated S3 Bucket Policy Creation

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".

Sigma rule (View on GitHub)

 1title: AWS IAM S3Browser Templated S3 Bucket Policy Creation
 2id: db014773-7375-4f4e-b83b-133337c0ffee
 3status: test
 4description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
 5references:
 6    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
 7author: daniel.bohannon@permiso.io (@danielhbohannon)
 8date: 2023-05-17
 9tags:
10    - attack.execution
11    - attack.t1059.009
12    - attack.persistence
13    - attack.t1078.004
14logsource:
15    product: aws
16    service: cloudtrail
17detection:
18    selection:
19        eventSource: iam.amazonaws.com
20        eventName: PutUserPolicy
21        userAgent|contains: 'S3 Browser'
22        requestParameters|contains|all:
23            - '"arn:aws:s3:::<YOUR-BUCKET-NAME>/*"'
24            - '"s3:GetObject"'
25            - '"Allow"'
26    condition: selection
27falsepositives:
28    - Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value
29level: high

References

Related rules

to-top