AWS S3 Bucket Enumeration or Brute Force

Last updated 17 days ago on 2024-11-07

Created 7 months ago on 2024-05-01

About

Identifies a high number of failed S3 operations from a single source and account (or anonymous account) within a short timeframe. This activity can be indicative of attempting to cause an increase in billing to an account for excessive random operations, cause resource exhaustion, or enumerating bucket names for discovery.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS S3Use Case: Log AuditingTactic: Impact

Severity

low

Risk Score

MITRE ATT&CK™

Impact (TA0040)(opens in a new tab or window)

↳ Financial Theft (T1657)(opens in a new tab or window)

Discovery (TA0007)(opens in a new tab or window)

↳ Cloud Infrastructure Discovery (T1580)(opens in a new tab or window)

Collection (TA0009)(opens in a new tab or window)

↳ Data from Cloud Storage (T1530)(opens in a new tab or window)

False Positive Examples

Known or internal account IDs or automation

License

Elastic License v2(opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: (opens in a new tab or window)
Query

from logs-aws.cloudtrail*
| where event.provider == "s3.amazonaws.com" and aws.cloudtrail.error_code == "AccessDenied"
// keep only relevant fields
| keep tls.client.server_name, source.address, cloud.account.id
| stats failed_requests = count(*) by tls.client.server_name, source.address, cloud.account.id
  // can modify the failed request count or tweak time window to fit environment
  // can add `not cloud.account.id in (KNOWN)` or specify in exceptions
| where failed_requests > 40

Install detection rules in Elastic Security

Detect AWS S3 Bucket Enumeration or Brute Force in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).