AWS S3 Bucket Enumeration or Brute Force

Last updated 23 days ago on 2025-10-01

Created a year ago on 2024-05-01

About

Identifies a high number of failed S3 operations against a single bucket from a single source address within a short timeframe. This activity can indicate attempts to collect bucket objects or cause an increase in billing to an account via internal "AccessDenied" errors.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS S3Use Case: Log AuditingTactic: ImpactTactic: DiscoveryTactic: CollectionLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Impact (TA0040)(opens in a new tab or window)

↳ Financial Theft (T1657)(opens in a new tab or window)

Discovery (TA0007)(opens in a new tab or window)

↳ Cloud Storage Object Discovery (T1619)(opens in a new tab or window)

Collection (TA0009)(opens in a new tab or window)

↳ Data from Cloud Storage (T1530)(opens in a new tab or window)

False Positive Examples

External account IDs or broken automation may trigger this rule. For AccessDenied (HTTP 403 Forbidden), S3 doesn't charge the bucket owner when the request is initiated outside of the bucket owner's individual AWS account or the bucket owner's AWS organization.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Threshold Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-aws.cloudtrail-*
Related Integrations: aws(opens in a new tab or window)
Query

  event.dataset: "aws.cloudtrail" and 
  event.provider : "s3.amazonaws.com" and 
  aws.cloudtrail.error_code : "AccessDenied" and 
  tls.client.server_name : *

Install detection rules in Elastic Security

Detect AWS S3 Bucket Enumeration or Brute Force in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).