AWS API calls indicating S3 buckets discovery in a suspicious way
Description
AlphaSOC detected API calls for listing AWS S3 objects and retrieving information about S3 buckets, potentially indicating discovery attempts by adversaries. These actions gather information about S3 buckets, such as access controls, encryption settings, logging configurations, policies, and stored contents.
Impact
This may suggest reconnaissance activity preceding an attack. Adversaries can exploit acquired information to identify potential targets and vulnerabilities within the AWS environment, leading to unauthorized access, data exfiltration, or exploitation of misconfigured AWS S3 buckets.
Severity
| Severity | Condition |
|---|---|
Low | AWS API calls indicating S3 buckets discovery |
Medium | AWS API calls indicating S3 buckets discovery in a suspicious way |
Investigation and Remediation
Review AWS CloudTrail logs to identify the IAM users or roles responsible for the actions and verify whether they were authorized. If unauthorized, rotate any potentially compromised credentials and conduct a thorough security assessment of your AWS environment to identify and address other potential threats. Consider implementing additional security measures, such as bucket encryption and versioning, to protect sensitive data.