Elastic Security Detection Rules

AWS S3 Bucket Policy Added to Allow Public Access

Last updated 9 days ago on 2025-10-30
Created 9 days ago on 2025-10-30

About

Detects when an Amazon S3 bucket policy is modified to grant public access using a wildcard (Principal:"*") statement. This rule analyzes PutBucketPolicy events that include both Effect=Allow and Principal:"*" in the request parameters, indicating that permissions were extended to all identities, potentially making the bucket or its contents publicly accessible. Publicly exposing an S3 bucket is one of the most common causes of sensitive data leaks in AWS environments. Adversaries or misconfigurations can leverage this exposure to exfiltrate data, host malicious content, or collect credentials and logs left in open storage.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS S3Use Case: Threat DetectionTactic: ExfiltrationTactic: CollectionLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Exfiltration (TA0010)(opens in a new tab or window)

Transfer Data to Cloud Account (T1537)(opens in a new tab or window)

Collection (TA0009)(opens in a new tab or window)

Data from Cloud Storage (T1530)(opens in a new tab or window)

False Positive Examples
This rule does not differentiate by itself whether the same policy also includes Deny statements that restrict public access. If a policy includes both Effect=Allow and Effect=Deny with Principal:"*", this rule may still trigger. Such cases should be manually analyzed to verify whether the Deny statement effectively negates the public exposure.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(opens in a new tab or window)

Query
info where event.dataset == "aws.cloudtrail"
    and event.provider == "s3.amazonaws.com"
    and event.action == "PutBucketPolicy" 
    and event.outcome == "success"
    and stringContains(aws.cloudtrail.request_parameters, "Effect=Allow")
    and stringContains(aws.cloudtrail.request_parameters, "Principal=\\*")

Install detection rules in Elastic Security

Detect AWS S3 Bucket Policy Added to Allow Public Access in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).