AWS S3 Bucket Enumeration or Brute Force

About

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS S3Use Case: Log AuditingTactic: ImpactTactic: DiscoveryTactic: CollectionLanguage: kuery

Severity

low

Risk Score

21

MITRE ATT&CK™

Impact (TA0040)(external, opens in a new tab or window)

↳ Financial Theft (T1657)(external, opens in a new tab or window)

Discovery (TA0007)(external, opens in a new tab or window)

↳ Cloud Storage Object Discovery (T1619)(external, opens in a new tab or window)

Collection (TA0009)(external, opens in a new tab or window)

↳ Data from Cloud Storage (T1530)(external, opens in a new tab or window)

False Positive Examples

External account IDs or broken automation may trigger this rule. For AccessDenied (HTTP 403 Forbidden), S3 doesn't charge the bucket owner when the request is initiated outside of the bucket owner's individual AWS account or the bucket owner's AWS organization.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Threshold Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-aws.cloudtrail-*

Related Integrations

aws(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗  event.dataset: "aws.cloudtrail" and 
  event.provider : "s3.amazonaws.com" and 
  aws.cloudtrail.error_code : "AccessDenied" and 
  tls.client.server_name : *