AWS IAM unexpected modification by S3 Browser
Description
AlphaSOC detected AWS S3 API calls using a user agent associated with third-party S3 browser applications. While these tools have legitimate uses, their presence can indicate that credentials have been exfiltrated and are being used interactively by an attacker to enumerate and access S3 buckets outside of approved applications or automated workflows.
Impact
Unauthorized use of S3 browser tools can lead to sensitive data discovery and exfiltration. Threat actors who obtain AWS credentials may use these GUI tools to interactively navigate bucket contents, download files, or modify objects.
Severity
| Severity | Condition |
|---|---|
Low | S3 browser tool user agent observed for this identity |
Medium | Unexpected S3 browser tool usage |
Investigation and Remediation
Review AWS CloudTrail logs for the specific S3 actions performed, including any
GetObject, ListBucket, or PutObject calls. Identify the IAM user or role
associated with the activity and assess whether the tool use was authorized. If
unauthorized, immediately rotate or revoke the credentials, and review the S3
buckets accessed for any downloaded or modified objects. Audit IAM policies to
enforce least privilege and restrict S3 access to known application user agents
where appropriate.
Known False Positives
- Developers or administrators using approved S3 browser tools for legitimate bucket management tasks