Multiple denied AWS S3 API calls requiring investigation
Description
AlphaSOC detected multiple denied AWS S3 API calls, suggesting potential unauthorized attempts to access AWS S3 buckets. This activity may signal an adversary's effort to discover and map AWS infrastructure.
Impact
Multiple denied suspicious AWS S3 API calls may signify ongoing reconnaissance, where threat actors attempt to identify vulnerabilities and plan potential attacks targeting data stored in AWS S3 buckets. If successful, threat actors could exfiltrate, modify, or delete critical information.
Severity
Severity | Condition |
---|---|
Low | Multiple denied AWS S3 API calls requiring investigation |
Investigation and Remediation
Review AWS CloudTrail logs to identify the AWS IAM user or role responsible for the API calls and verify whether they were authorized. If unauthorized, identify and rotate all potentially compromised credentials.
Known False Positives
- Legitimate scripts or third-party tools configured with incorrect permissions attempting to access S3 buckets