Elastic Security Detection Rules

AWS S3 Bucket Enumeration or Brute Force

Last updated a month ago on 2025-07-16
Created a year ago on 2024-05-01

About

Identifies a high number of failed S3 operations from a single source and account (or anonymous account) within a short timeframe. This activity can be indicative of attempting to cause an increase in billing to an account for excessive random operations, cause resource exhaustion, or enumerating bucket names for discovery.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS S3Use Case: Log AuditingTactic: ImpactLanguage: esql
Severity
low
Risk Score
21
MITRE ATT&CK™

Impact (TA0040)(opens in a new tab or window)

Financial Theft (T1657)(opens in a new tab or window)

Discovery (TA0007)(opens in a new tab or window)

Cloud Infrastructure Discovery (T1580)(opens in a new tab or window)

Collection (TA0009)(opens in a new tab or window)

Data from Cloud Storage (T1530)(opens in a new tab or window)

False Positive Examples
Known or internal account IDs or automation
License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

(opens in a new tab or window)

Query
from logs-aws.cloudtrail*

| where
  event.provider == "s3.amazonaws.com"
  and aws.cloudtrail.error_code == "AccessDenied"
  and tls.client.server_name is not null
  and cloud.account.id is not null

// keep only relevant ECS fields
| keep
  tls.client.server_name,
  source.address,
  cloud.account.id

// count access denied requests per server_name, source, and account
| stats
    Esql.event_count = count(*)
  by
    tls.client.server_name,
    source.address,
    cloud.account.id

// Threshold: more than 40 denied requests
| where Esql.event_count > 40

Install detection rules in Elastic Security

Detect AWS S3 Bucket Enumeration or Brute Force in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).