AWS IAM S3Browser Templated S3 Bucket Policy Creation
Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "
Sigma rule (View on GitHub)
1title: AWS IAM S3Browser Templated S3 Bucket Policy Creation
2id: db014773-7375-4f4e-b83b-133337c0ffee
3status: test
4description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
5references:
6 - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
7author: daniel.bohannon@permiso.io (@danielhbohannon)
8date: 2023-05-17
9tags:
10 - attack.execution
11 - attack.t1059.009
12 - attack.persistence
13 - attack.t1078.004
14logsource:
15 product: aws
16 service: cloudtrail
17detection:
18 selection:
19 eventSource: iam.amazonaws.com
20 eventName: PutUserPolicy
21 userAgent|contains: 'S3 Browser'
22 requestParameters|contains|all:
23 - '"arn:aws:s3:::<YOUR-BUCKET-NAME>/*"'
24 - '"s3:GetObject"'
25 - '"Allow"'
26 condition: selection
27falsepositives:
28 - Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value
29level: high
References
Related rules
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser User or AccessKey Creation
- Github SSH Certificate Configuration Changed
- Kubernetes CronJob/Job Modification
- ESXi Account Creation Via ESXCLI