Detection rules › Elastic
AWS S3 Credential File Retrieved from Bucket
Detects successful S3 GetObject calls targeting high-value credential and secret files commonly stored in S3 buckets: AWS credentials files (".aws/credentials", ".aws/config"), SSH private keys ("id_rsa", "id_ed25519", "id_ecdsa", "id_dsa"), environment files (".env"), PEM and PuTTY key files, and other private key patterns. These file types are high-yield targets for credential harvesting from S3. The rule excludes AWSService identity type to suppress S3 replication, Glacier restore, and other AWS-internal data movement that legitimately reads these files.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1552.001 Unsecured Credentials: Credentials In Files |
| Collection | T1530 Data from Cloud Storage |
Event coverage
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
- AWS S3 Large Download (Panther)
- AWS S3 Unauthenticated Bucket Access by Rare Source (Elastic)
Rule body elastic
[metadata]
creation_date = "2026/05/27"
integration = ["aws"]
maturity = "production"
updated_date = "2026/05/27"
[rule]
author = ["Elastic"]
description = """
Detects successful S3 GetObject calls targeting high-value credential and secret files commonly
stored in S3 buckets: AWS credentials files (".aws/credentials", ".aws/config"), SSH private keys
("id_rsa", "id_ed25519", "id_ecdsa", "id_dsa"), environment files (".env"), PEM and PuTTY key files,
and other private key patterns. These file types are high-yield targets for credential harvesting
from S3. The rule excludes AWSService identity type to suppress S3 replication, Glacier restore,
and other AWS-internal data movement that legitimately reads these files.
"""
false_positives = [
"""
Legitimate CI/CD pipelines, infrastructure tooling, or configuration management systems may retrieve
secret files from S3 as part of their normal operation. Validate the calling identity, user agent,
and source IP against known automation accounts and expected access patterns.
""",
]
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS S3 Credential File Retrieved from Bucket"
note = """## Triage and analysis
### Investigating AWS S3 Credential File Retrieved from Bucket
S3 is frequently used to store configuration files, scripts, and secrets. When files with credential-like
names are accessed, it warrants investigation to ensure that the retrieval was authorized.
### Possible investigation steps
- **Identify the accessed file**: Review `aws.cloudtrail.request_parameters` for the bucket name and key.
Determine whether the bucket is intended to store secrets.
- **Verify the caller**: Inspect `aws.cloudtrail.user_identity.arn` and `source.ip`. If the caller is not
an approved automation role, escalate immediately.
- **Check bucket permissions**: Determine if the bucket is publicly accessible or if the key naming
pattern was intentionally exposed.
- **Look for downstream actions**: Search for subsequent IAM, STS, or console actions from the same
identity shortly after the object retrieval, which may indicate successful credential use.
### False positive analysis
- Legitimate backup or restore processes may access credential files stored in S3 as part of their
workflow. Validate the calling identity and user agent against known automation accounts.
- CI/CD pipelines that retrieve secrets from S3 during deployment may trigger this rule. Verify the
source IP and ARN match expected automation infrastructure.
### Response and remediation
- Immediately disable the access key identified in `aws.cloudtrail.user_identity.access_key_id` if
the retrieval is determined to be unauthorized.
- Audit the S3 bucket for overly permissive policies or public access configurations.
- Rotate any credentials stored in the accessed object — treat them as compromised.
- Review all CloudTrail events from the same identity in the preceding 30 minutes for signs of
lateral movement, IAM changes, or resource creation.
- Implement S3 bucket policies or IAM conditions restricting access to credential files to only
authorized identities and source IPs.
"""
references = [
"https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html",
]
risk_score = 47
rule_id = "2f0ee9fe-4529-4b9e-9f78-6c81ef33c6ba"
severity = "medium"
setup = """S3 data event logging is required for this rule. This rule detects S3 GetObject events,
which are data plane events not logged by default. To enable: CloudTrail console → Trails →
[trail name] → Data events → Add S3 → select the buckets to monitor (or all buckets with a wildcard).
Without this configuration, the rule produces no alerts.
Refer to the AWS documentation on
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html[logging data events]
for detailed steps.
"""
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS S3",
"Use Case: Identity and Access Audit",
"Tactic: Credential Access",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
data_stream.dataset: "aws.cloudtrail" and
event.provider: "s3.amazonaws.com" and
event.action: "GetObject" and
event.outcome: "success" and
aws.cloudtrail.flattened.request_parameters.key: (
*/.aws/credentials or
*/.aws/config or
*/id_rsa or
*/id_ed25519 or
*/id_ecdsa or
*/id_dsa or
*/.env or
*/.env.* or
*.ppk or
*.pem or
*.key or
*private_key* or
*/.ssh/authorized_keys
) and
not aws.cloudtrail.user_identity.type: "AWSService"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.001"
name = "Credentials In Files"
reference = "https://attack.mitre.org/techniques/T1552/001/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1530/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[rule.alert_suppression]
group_by = ["source.ip", "cloud.account.id"]
duration = {value = 5, unit = "m"}
missing_fields_strategy = "suppress"
[rule.investigation_fields]
field_names = [
"@timestamp",
"user.name",
"user_agent.original",
"source.ip",
"source.as.number",
"aws.cloudtrail.user_identity.arn",
"aws.cloudtrail.user_identity.type",
"aws.cloudtrail.user_identity.access_key_id",
"event.action",
"event.provider",
"event.outcome",
"cloud.account.id",
"cloud.region",
"aws.cloudtrail.request_parameters",
]
Stages and Predicates
Stage 1: query
data_stream.dataset: "aws.cloudtrail" and
event.provider: "s3.amazonaws.com" and
event.action: "GetObject" and
event.outcome: "success" and
aws.cloudtrail.flattened.request_parameters.key: (
*/.aws/credentials or
*/.aws/config or
*/id_rsa or
*/id_ed25519 or
*/id_ecdsa or
*/id_dsa or
*/.env or
*/.env.* or
*.ppk or
*.pem or
*.key or
*private_key* or
*/.ssh/authorized_keys
) and
not aws.cloudtrail.user_identity.type: "AWSService"
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
aws.cloudtrail.user_identity.type | eq | AWSService |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
aws.cloudtrail.flattened.request_parameters.key | wildcard |
|
data_stream.dataset | eq |
|
event.action | eq |
|
event.outcome | eq |
|
event.provider | eq |
|