Triggers
- A credential was observed suspiciously invoking a set of S3 APIs that permits public access to a given bucket.
Possible Root Causes
- An attacker may be scanning and maliciously modifying configurations around an S3 bucket to enable data exfiltration.
- An IT misconfiguration may have been made by an authorized user which could weaken the posture around an S3 bucket and promote the risk of data loss. • An internal tool is scanning the buckets for security reasons.
Business Impact
- Malicious or unintentional weakening of security posture controls around S3 buckets are commonly associated with data loss.
Steps to Verify
- Investigate the account context that made the change for other signs of malicious activity.
- Investigate for data loss.
- Verify if the S3 bucket in question is authorized for public access.
- If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.