Skip to main content

Suspicious use of AWS APIs indicating S3 ACL modifications

ID:aws_s3_modify_acl_suspicious
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0004:T1484

Description

AlphaSOC detected the use of AWS APIs that modified access permissions for S3 buckets, objects, or their associated policies and ACLs. These actions could potentially expose sensitive data to unauthorized parties.

Impact

Improper modifications to S3 ACLs can lead to data leaks. Threat actors can exploit these changes to gain access to sensitive data, expose private information, or use S3 buckets for malicious purposes such as data exfiltration or hosting harmful content.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Investigate the detected operation by reviewing AWS CloudTrail logs to identify the user, client IP, and specific actions performed. Verify if the operations were authorized and part of normal business processes. If unauthorized activity is confirmed, immediately revert the changes to S3 ACLs or policies.

Known False Positives

  • Legitimate administrative actions to update S3 ACLs or bucket policies, such as configuration updates or security policy adjustments for compliance purposes