Anomalous use of AWS APIs indicating S3 ACL modifications
Description
AlphaSOC detected the use of AWS APIs that modified access permissions for S3 buckets, objects, or their associated policies and ACLs. These actions could potentially expose sensitive data to unauthorized parties.
Impact
Improper modifications to S3 ACLs can lead to data leaks. Threat actors can exploit these changes to gain access to sensitive data, expose private information, or use S3 buckets for malicious purposes such as data exfiltration or hosting harmful content.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Investigate the detected operation by reviewing AWS CloudTrail logs to identify the user, client IP, and specific actions performed. Verify if the operations were authorized and part of normal business processes. If unauthorized activity is confirmed, immediately revert the changes to S3 ACLs or policies.
Known False Positives
- Legitimate administrative actions to update S3 ACLs or bucket policies, such as configuration updates or security policy adjustments for compliance purposes