AWS S3 Rapid Bucket Posture API Calls from a Single Principal

Status: production
Severity: low
Time window: 6m
Group by: Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn, source.ip
Author: Elastic
Source: github.com/elastic/detection-rules

Identifies when the same AWS principal, from the same source IP, successfully invokes read-only S3 control-plane APIs that reveal bucket posture across many buckets in a short period. This pattern can indicate automated reconnaissance or security scanning, similar to CSPM tools and post-compromise enumeration. The rule excludes AWS service principals, requires programmatic-style sessions (not Management Console credentials), and requires populated resource and identity fields so nulls do not skew cardinality.

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1526` Cloud Service Discovery, `T1580` Cloud Infrastructure Discovery, `T1619` Cloud Storage Object Discovery
Collection	`T1530` Data from Cloud Storage

Event coverage

Provider	Event
AWS-s3	GetBucketPolicy
AWS-s3	GetBucketPublicAccessBlock
AWS-s3	GetBucketAcl
AWS-s3	GetBucketPolicyStatus
AWS-s3	GetBucketVersioning

Rule body elastic

[metadata]
creation_date = "2026/04/02"
integration = ["aws"]
maturity = "production"
min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0"
min_stack_version = "9.2.0"
updated_date = "2026/04/29"

[rule]
author = ["Elastic"]
description = """
Identifies when the same AWS principal, from the same source IP, successfully invokes read-only S3 control-plane APIs
that reveal bucket posture across many buckets in a short period. This pattern can indicate automated reconnaissance or
security scanning, similar to CSPM tools and post-compromise enumeration. The rule excludes AWS service principals,
requires programmatic-style sessions (not Management Console credentials), and requires populated resource and identity
fields so nulls do not skew cardinality.
"""
false_positives = [
    """
    Legitimate security scanners, CSPM products, compliance jobs, and inventory automation may call the same read-only
    bucket APIs across many buckets quickly. Verify the principal ARN, source IP, user agent, and schedule against known
    approved tooling before treating the activity as malicious.
    """,
]
from = "now-6m"
language = "esql"
license = "Elastic License v2"
name = "AWS S3 Rapid Bucket Posture API Calls from a Single Principal"
note = """## Triage and analysis

### Investigating AWS S3 Rapid Bucket Posture API Calls from a Single Principal

This rule detects when the same AWS principal (`aws.cloudtrail.user_identity.arn`), from the same `source.ip`, successfully invokes read-only S3 control-plane APIs that reveal bucket posture across more than 15 distinct `aws.cloudtrail.resources.arn` values within a 10-second window.

Security scanners, compliance tools, and post-compromise reconnaissance often walk many buckets quickly to map public access, policies, and versioning. Bursts of distinct buckets in seconds are less typical of one-off console administration or single-bucket troubleshooting. This could be indicative of reconnaissance as seen by threat actors like Team PCP. 

### Possible investigation steps

**Identify the actor and session context**
- **Actor ARN (`aws.cloudtrail.user_identity.arn`)**: Determine which IAM user, role, or federated principal performed the reads. Confirm whether this identity is approved for broad S3 read or security auditing. Unusual types or unfamiliar roles may warrant deeper review.
- **Access key (`Esql.aws_cloudtrail_user_identity_access_key_id_values`)**: Identify which access key or temporary credential was used. Correlate with IAM last-used metadata for the key or role session.

**Characterize the bucket sweep**
- **Distinct bucket count (`Esql.aws_cloudtrail_resources_arn_count_distinct`)**: Compare to normal baselines for this identity; values at or just above the threshold may still warrant review for new automation.
- **Bucket ARNs (`Esql.aws_cloudtrail_resources_arn_values`)**: Identify which buckets were touched. Prioritize buckets that store logs, backups, credentials, or regulated data. Search the same time range for write or policy-change APIs (`PutBucket*`, `DeleteBucket*`) on the same buckets.

**Analyze source and client**
- **Source IP (`Esql.source_ip_values`)**: Map to corporate egress, a known runner or bastion, an EC2 instance, or an unfamiliar ASN. Compare with VPC Flow Logs or proxy logs when available.
- **User agent (`Esql.user_agent_original_values`, `Esql.user_agent_name_values`)**: Identify the AWS CLI, Boto3, a specific scanner, or custom scripts. Unusual or minimal user agents may align with tooling and require investigation.

**Correlate in time**
- Query CloudTrail for the same `aws.cloudtrail.user_identity.arn` and `source.ip` within approximately ±30 minutes for follow-on patterns: `ListBuckets`, `GetObject`, `PutBucketPolicy`, `AssumeRole`, or IAM changes.
- Check for overlapping alerts related to credential access, unusual geolocation, or new external bucket policy grants.

### False positive analysis

Legitimate causes can include:
- **Security and compliance scanners** (for example CSPM or assessment tools) using API credentials with `s3:Get*` permissions across many buckets.
- **Inventory or backup catalog tools** that enumerate bucket metadata for reporting.
- **CI/CD or infrastructure-as-code validation** jobs that verify bucket settings across environments.

Validate whether the principal is a documented service account, the IP belongs to known infrastructure, and the timing matches scheduled jobs. If behavior is expected, consider raising the distinct-bucket threshold, adding `user_agent` filters, or documenting exception identities.

### Response and remediation

**Contain**
- If activity is unexpected, rotate or disable keys for the affected identity, revoke active role sessions where possible, and restrict the source IP at the network layer if it is not authorized.

**Investigate**
- Export CloudTrail for the window around `Esql.time_window_date_trunc` and review all S3 and IAM events for the same actor.
- Review IAM policies attached to the principal for excessive `s3:Get*` or `s3:List*` scope.

**Harden**
- Enforce least privilege on S3 read APIs; use permission boundaries or service control policies where appropriate.
- Ensure sensitive buckets are not unnecessarily reachable from the observed network context.
- Document approved scanning accounts and tune the rule to reduce noise from those identities.

### Additional information

- [AWS Security Incident Response Guide](https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/aws-security-incident-response-guide.pdf)
- [AWS Incident Response Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/)
- [AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework)

"""
references = [
    "https://kudelskisecurity.com/research/investigating-two-variants-of-the-trivy-supply-chain-compromise",
]
risk_score = 21
rule_id = "a7577205-88a1-4a08-85d4-7b72a9a2e969"
severity = "low"
tags = [
    "Domain: Cloud",
    "Data Source: AWS",
    "Data Source: Amazon Web Services",
    "Data Source: AWS S3",
    "Data Source: AWS CloudTrail",
    "Use Case: Threat Detection",
    "Tactic: Discovery",
    "Tactic: Collection",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "esql"

query = '''
from logs-aws.cloudtrail-* metadata _id, _version, _index
| eval Esql.time_window_date_trunc = date_trunc(10 seconds, @timestamp)

| where
    data_stream.dataset == "aws.cloudtrail"
    and event.provider == "s3.amazonaws.com"
    and event.outcome == "success"
    and event.action in (
      "GetBucketAcl",
      "GetBucketPublicAccessBlock",
      "GetBucketPolicy",
      "GetBucketPolicyStatus",
      "GetBucketVersioning"
    )
    and aws.cloudtrail.user_identity.type != "AWSService"
    and source.ip IS NOT NULL
    and aws.cloudtrail.resources.arn IS NOT NULL
    and aws.cloudtrail.user_identity.arn IS NOT NULL
    and aws.cloudtrail.session_credential_from_console IS NULL

| keep
    @timestamp,
    Esql.time_window_date_trunc,
    event.action,
    aws.cloudtrail.user_identity.arn,
    aws.cloudtrail.user_identity.type,
    aws.cloudtrail.user_identity.access_key_id,
    source.ip,
    aws.cloudtrail.resources.arn,
    cloud.account.id,
    cloud.region,
    user_agent.original,
    source.as.organization.name,
    data_stream.namespace

| stats
    Esql.aws_cloudtrail_resources_arn_count_distinct = count_distinct(aws.cloudtrail.resources.arn),
    Esql.aws_cloudtrail_resources_arn_values = VALUES(aws.cloudtrail.resources.arn),
    Esql.event_action_values = VALUES(event.action),
    Esql.timestamp_values = VALUES(@timestamp),
    Esql.aws_cloudtrail_user_identity_type_values = VALUES(aws.cloudtrail.user_identity.type),
    Esql.aws_cloudtrail_user_identity_access_key_id_values = VALUES(aws.cloudtrail.user_identity.access_key_id),
    Esql.cloud_account_id_values = VALUES(cloud.account.id),
    Esql.cloud_region_values = VALUES(cloud.region),
    Esql.user_agent_original_values = VALUES(user_agent.original),
    Esql.source_as_organization_name_values = VALUES(source.as.organization.name),
    Esql.data_stream_namespace_values = VALUES(data_stream.namespace)
  by Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn, source.ip

| where Esql.aws_cloudtrail_resources_arn_count_distinct > 15

| keep
    aws.cloudtrail.user_identity.arn,
    source.ip,
    Esql.time_window_date_trunc,
    Esql.aws_cloudtrail_resources_arn_count_distinct,
    Esql.aws_cloudtrail_resources_arn_values,
    Esql.event_action_values,
    Esql.timestamp_values,
    Esql.aws_cloudtrail_user_identity_type_values,
    Esql.aws_cloudtrail_user_identity_access_key_id_values,
    Esql.cloud_account_id_values,
    Esql.cloud_region_values,
    Esql.user_agent_original_values,
    Esql.source_as_organization_name_values,
    Esql.data_stream_namespace_values
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1526"
name = "Cloud Service Discovery"
reference = "https://attack.mitre.org/techniques/T1526/"

[[rule.threat.technique]]
id = "T1580"
name = "Cloud Infrastructure Discovery"
reference = "https://attack.mitre.org/techniques/T1580/"

[[rule.threat.technique]]
id = "T1619"
name = "Cloud Storage Object Discovery"
reference = "https://attack.mitre.org/techniques/T1619/"


[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1530/"


[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"

[rule.investigation_fields]
field_names = [
    "Esql.aws_cloudtrail_resources_arn_count_distinct",
    "Esql.time_window_date_trunc",
    "aws.cloudtrail.user_identity.arn",
    "source.ip",
    "Esql.aws_cloudtrail_resources_arn_values",
    "Esql.event_action_values",
    "Esql.timestamp_values",
    "Esql.aws_cloudtrail_user_identity_type_values",
    "Esql.aws_cloudtrail_user_identity_access_key_id_values",
    "Esql.cloud_account_id_values",
    "Esql.cloud_region_values",
    "Esql.user_agent_original_values",
    "Esql.source_as_organization_name_values",
    "Esql.data_stream_namespace_values",
]

Stages and Predicates

Stage 1: `from`

from logs-aws.cloudtrail-* metadata _id, _version, _index

Stage 2: `eval`

| eval Esql.time_window_date_trunc = date_trunc(10 seconds, @timestamp)

Stage 3: `where`

| where
    data_stream.dataset == "aws.cloudtrail"
    and event.provider == "s3.amazonaws.com"
    and event.outcome == "success"
    and event.action in (
      "GetBucketAcl",
      "GetBucketPublicAccessBlock",
      "GetBucketPolicy",
      "GetBucketPolicyStatus",
      "GetBucketVersioning"
    )
    and aws.cloudtrail.user_identity.type != "AWSService"
    and source.ip IS NOT NULL
    and aws.cloudtrail.resources.arn IS NOT NULL
    and aws.cloudtrail.user_identity.arn IS NOT NULL
    and aws.cloudtrail.session_credential_from_console IS NULL

Stage 4: `keep`

| keep
    @timestamp,
    Esql.time_window_date_trunc,
    event.action,
    aws.cloudtrail.user_identity.arn,
    aws.cloudtrail.user_identity.type,
    aws.cloudtrail.user_identity.access_key_id,
    source.ip,
    aws.cloudtrail.resources.arn,
    cloud.account.id,
    cloud.region,
    user_agent.original,
    source.as.organization.name,
    data_stream.namespace

Stage 5: `stats`

| stats
    Esql.aws_cloudtrail_resources_arn_count_distinct = count_distinct(aws.cloudtrail.resources.arn),
    Esql.aws_cloudtrail_resources_arn_values = VALUES(aws.cloudtrail.resources.arn),
    Esql.event_action_values = VALUES(event.action),
    Esql.timestamp_values = VALUES(@timestamp),
    Esql.aws_cloudtrail_user_identity_type_values = VALUES(aws.cloudtrail.user_identity.type),
    Esql.aws_cloudtrail_user_identity_access_key_id_values = VALUES(aws.cloudtrail.user_identity.access_key_id),
    Esql.cloud_account_id_values = VALUES(cloud.account.id),
    Esql.cloud_region_values = VALUES(cloud.region),
    Esql.user_agent_original_values = VALUES(user_agent.original),
    Esql.source_as_organization_name_values = VALUES(source.as.organization.name),
    Esql.data_stream_namespace_values = VALUES(data_stream.namespace)
  by Esql.time_window_date_trunc, aws.cloudtrail.user_identity.arn, source.ip

Stage 6: `where`

| where Esql.aws_cloudtrail_resources_arn_count_distinct > 15

Stage 7: `keep`

| keep
    aws.cloudtrail.user_identity.arn,
    source.ip,
    Esql.time_window_date_trunc,
    Esql.aws_cloudtrail_resources_arn_count_distinct,
    Esql.aws_cloudtrail_resources_arn_values,
    Esql.event_action_values,
    Esql.timestamp_values,
    Esql.aws_cloudtrail_user_identity_type_values,
    Esql.aws_cloudtrail_user_identity_access_key_id_values,
    Esql.cloud_account_id_values,
    Esql.cloud_region_values,
    Esql.user_agent_original_values,
    Esql.source_as_organization_name_values,
    Esql.data_stream_namespace_values

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Esql.aws_cloudtrail_resources_arn_count_distinct`	gt	`15`
`aws.cloudtrail.resources.arn`	is_not_null	(no value, null check)
`aws.cloudtrail.session_credential_from_console`	is_null	(no value, null check)
`aws.cloudtrail.user_identity.arn`	is_not_null	(no value, null check)
`aws.cloudtrail.user_identity.type`	ne	`AWSService`
`data_stream.dataset`	eq	`aws.cloudtrail`
`event.action`	in	`GetBucketAcl` `GetBucketPolicy` `GetBucketPolicyStatus` `GetBucketPublicAccessBlock` `GetBucketVersioning`
`event.outcome`	eq	`success`
`event.provider`	eq	`s3.amazonaws.com`
`source.ip`	is_not_null	(no value, null check)

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`aws.cloudtrail.user_identity.arn`	`KEEP aws.cloudtrail.user_identity.arn`
`source.ip`	`KEEP source.ip`
`Esql.time_window_date_trunc`	`KEEP Esql.time_window_date_trunc`
`Esql.aws_cloudtrail_resources_arn_count_distinct`	`KEEP Esql.aws_cloudtrail_resources_arn_count_distinct`
`Esql.aws_cloudtrail_resources_arn_values`	`KEEP Esql.aws_cloudtrail_resources_arn_values`
`Esql.event_action_values`	`KEEP Esql.event_action_values`
`Esql.timestamp_values`	`KEEP Esql.timestamp_values`
`Esql.aws_cloudtrail_user_identity_type_values`	`KEEP Esql.aws_cloudtrail_user_identity_type_values`
`Esql.aws_cloudtrail_user_identity_access_key_id_values`	`KEEP Esql.aws_cloudtrail_user_identity_access_key_id_values`
`Esql.cloud_account_id_values`	`KEEP Esql.cloud_account_id_values`
`Esql.cloud_region_values`	`KEEP Esql.cloud_region_values`
`Esql.user_agent_original_values`	`KEEP Esql.user_agent_original_values`
`Esql.source_as_organization_name_values`	`KEEP Esql.source_as_organization_name_values`
`Esql.data_stream_namespace_values`	`KEEP Esql.data_stream_namespace_values`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

AWS S3 Rapid Bucket Posture API Calls from a Single Principal

MITRE ATT&CK coverage

Event coverage

Rule body elastic

Stages and Predicates

Stage 1: `from`

Stage 2: `eval`

Stage 3: `where`

Stage 4: `keep`

Stage 5: `stats`

Stage 6: `where`

Stage 7: `keep`

Indicators

Output fields

Keyboard shortcuts

Search operators

AWS S3 Rapid Bucket Posture API Calls from a Single Principal

MITRE ATT&CK coverage

Event coverage

Rule body elastic

Stages and Predicates

Stage 1: from

Stage 2: eval

Stage 3: where

Stage 4: keep

Stage 5: stats

Stage 6: where

Stage 7: keep

Indicators

Output fields

Stage 1: `from`

Stage 2: `eval`

Stage 3: `where`

Stage 4: `keep`

Stage 5: `stats`

Stage 6: `where`

Stage 7: `keep`