detection.wiki

Detection rules › Splunk

Detect New Open S3 Buckets over AWS CLI

Status
production
Severity
medium
Group by
"requestParameters.accessControlList.x-amz-grant-full-control", "requestParameters.accessControlList.x-amz-grant-read", "requestParameters.accessControlList.x-amz-grant-read-acp", "requestParameters.accessControlList.x-amz-grant-write", "requestParameters.accessControlList.x-amz-grant-write-acp", "userIdentity.principalId", "userIdentity.userName", bucketName, userAgent
Author
Patrick Bareiss, Splunk
Source
github.com/splunk/security_content

The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to "AuthenticatedUsers" or "AllUsers." This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.

MITRE ATT&CK coverage

TacticTechniques
CollectionT1530 Data from Cloud Storage

Rule body splunk

name: Detect New Open S3 Buckets over AWS CLI
id: 39c61d09-8b30-4154-922b-2d0a694ecc22
version: 10
creation_date: '2021-01-12'
modification_date: '2026-05-13'
author: Patrick Bareiss, Splunk
status: production
type: TTP
description: The following analytic detects the creation of open/public S3 buckets via the AWS CLI. It leverages AWS CloudTrail logs to identify events where a user has set bucket permissions to allow access to "AuthenticatedUsers" or "AllUsers." This activity is significant because open S3 buckets can expose sensitive data to unauthorized users, leading to data breaches. If confirmed malicious, an attacker could gain unauthorized access to potentially sensitive information stored in the S3 bucket, posing a significant security risk.
data_source:
    - AWS CloudTrail
search: |-
    `cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")
      | rename requestParameters.bucketName AS bucketName
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY userIdentity.userName userIdentity.principalId userAgent
           bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp
           requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
      | rename userIdentity.userName as user
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `detect_new_open_s3_buckets_over_aws_cli_filter`
how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs.
known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the "All Users" group.
references: []
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: User $user$ has created an open/public bucket $bucketName$ using AWS CLI with the following permissions - $requestParameters.accessControlList.x-amz-grant-read$ $requestParameters.accessControlList.x-amz-grant-read-acp$ $requestParameters.accessControlList.x-amz-grant-write$ $requestParameters.accessControlList.x-amz-grant-write-acp$ $requestParameters.accessControlList.x-amz-grant-full-control$
    entity:
        field: user
        type: user
        score: 50
analytic_story:
    - Suspicious AWS S3 Activities
asset_type: S3 Bucket
mitre_attack_id:
    - T1530
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: cloud
security_domain: threat
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json
          sourcetype: aws:cloudtrail
          source: aws_cloudtrail
      test_type: unit

Stages and Predicates

Stage 1: search

`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers")

Stage 2: rename

| rename requestParameters.bucketName AS bucketName

Stage 3: fillnull

| fillnull

Stage 4: stats

| stats count min(_time) as firstTime max(_time) as lastTime
    BY userIdentity.userName userIdentity.principalId userAgent
       bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp
       requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control

Stage 5: rename

| rename userIdentity.userName as user

Stage 6: search

| `security_content_ctime(firstTime)`

Stage 7: search

| `security_content_ctime(lastTime)`

Stage 8: search

| `detect_new_open_s3_buckets_over_aws_cli_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
eventNameeq
  • PutBucketAcl
eventSourceeq
  • "s3.amazonaws.com"
requestParameters.accessControlList.x-amz-grant-full-controlin
  • "*AllUsers"
  • "*AuthenticatedUsers"
requestParameters.accessControlList.x-amz-grant-read-acpin
  • "*AllUsers"
  • "*AuthenticatedUsers"
requestParameters.accessControlList.x-amz-grant-writein
  • "*AllUsers"
  • "*AuthenticatedUsers"
requestParameters.accessControlList.x-amz-grant-write-acpin
  • "*AllUsers"
  • "*AuthenticatedUsers"
sourcetypeeq
  • aws:cloudtrail
userAgenteq
  • "[aws-cli*"
  • aws-cli*