Anomalous use of AWS APIs indicating S3 reconnaissance
Description
AlphaSOC detected the use of AWS APIs suggesting S3 reconnaissance activities. This indicates that an attacker may be gathering information about S3 buckets and objects. Reconnaissance is a critical phase in which adversaries research, identify, and select targets by probing for vulnerabilities or mapping the network.
Impact
Sensitive information about the cloud infrastructure may be used by threat actors to identify vulnerabilities, misconfigurations, or valuable targets within the environment. This knowledge can be used to plan more sophisticated attacks, potentially resulting in data breaches, resource hijacking, or service disruptions.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to identify the specific APIs used, the calling entity, and the accessed resources. If the reconnaissance was unauthorized, revoke any credentials, review and tighten IAM policies, and monitor for further anomalous activity.
Known False Positives
- Automated scripts or tools used by the IT team for S3 bucket management and monitoring
- Third-party cloud management or optimization tools legitimately querying S3 resources
- Security teams conducting authorized vulnerability assessments or penetration testing
- AWS's own internal processes performing unexpected checks or optimizations on the account