AWS S3 Static Site JavaScript File Uploaded

Last updated a month ago on 2025-04-15

Created a month ago on 2025-04-15

About

This rule detects when a JavaScript file is uploaded or accessed in an S3 static site directory (`static/js/`) by an IAM user or assumed role. This can indicate suspicious modification of web content hosted on S3, such as injecting malicious scripts into a static website frontend.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS S3Tactic: ImpactUse Case: Web Application CompromiseUse Case: Cloud Threat DetectionLanguage: esql

Severity

medium

Risk Score

MITRE ATT&CK™

Impact (TA0040)(opens in a new tab or window)

↳ Data Manipulation (T1565)(opens in a new tab or window)

False Positive Examples

Development or deployment pipelines that update static frontends frequently (e.g., React/Vue apps) may trigger this. Verify the user agent, source IP, and whether the modification was expected.

License

Elastic License v2(opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: aws(opens in a new tab or window)
Query

from logs-aws.cloudtrail* metadata _id, _version, _index
| where

    // filter on CloudTrail logs for S3 PutObject actions
    event.dataset == "aws.cloudtrail"
    and event.provider == "s3.amazonaws.com"
    and event.action in ("GetObject","PutObject")

    // filter for IAM users, not federated identities
    and aws.cloudtrail.user_identity.type in ("IAMUser", "AssumedRole")

    // filter for S3 static site bucket paths from webpack or similar
    and aws.cloudtrail.request_parameters LIKE "*static/js/*.js*"

    // exclude common IaC tools and automation scripts
    and not (
        user_agent.original LIKE "*Terraform*"
        or user_agent.original LIKE "*Ansible*"
        or user_agent.original LIKE "*Pulumni*"
    )

// extract bucket and object details from request parameters
| dissect aws.cloudtrail.request_parameters "%{{?bucket.name.key}=%{bucket.name}, %{?host.key}=%{bucket.host}, %{?bucket.object.location.key}=%{bucket.object.location}}"

// filter for specific bucket and object structure
| dissect bucket.object.location "%{}static/js/%{bucket.object}"

// filter for JavaScript files
| where ENDS_WITH(bucket.object, ".js")
| keep
    aws.cloudtrail.user_identity.arn,
    aws.cloudtrail.user_identity.access_key_id,
    aws.cloudtrail.user_identity.type,
    aws.cloudtrail.request_parameters,
    bucket.name,
    bucket.object,
    user_agent.original,
    source.ip,
    event.action,
    @timestamp

Install detection rules in Elastic Security

Detect AWS S3 Static Site JavaScript File Uploaded in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).