Skip to main content

Suspicious use of AWS APIs indicating S3 reconnaissance

ID:aws_s3_reconnaissance_suspicious
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0007:T1580

Description

AlphaSOC detected the use of AWS APIs suggesting S3 reconnaissance activities. This indicates that an attacker may be gathering information about S3 buckets and objects. Reconnaissance is a critical phase in which adversaries research, identify, and select targets by probing for vulnerabilities or mapping the network.

Impact

Sensitive information about the cloud infrastructure may be used by threat actors to identify vulnerabilities, misconfigurations, or valuable targets within the environment. This knowledge can be used to plan more sophisticated attacks, potentially resulting in data breaches, resource hijacking, or service disruptions.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Review AWS CloudTrail logs to identify the specific APIs used, the calling entity, and the accessed resources. If the reconnaissance was unauthorized, revoke any credentials, review and tighten IAM policies, and monitor for further anomalous activity.

Known False Positives

  • Automated scripts or tools used by the IT team for S3 bucket management and monitoring
  • Third-party cloud management or optimization tools legitimately querying S3 resources
  • Security teams conducting authorized vulnerability assessments or penetration testing
  • AWS's own internal processes performing unexpected checks or optimizations on the account