AWS S3 Public Access Block removed

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Framework:

pci

Control:

7.2.1

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when the S3 Public Access Block configuration has been removed

Strategy

This rule lets you monitor this CloudTrail API call to detect if an attacker is deleting the S3 Public Access Block configuration:

Triage and response

  1. Determine who the user was who made this API call.
  2. Contact the user and inform them of best practices of enabling Public Access Block on S3 buckets.
  3. Re-enable Public Access Block on the S3 bucket.

More details on S3 Public Block Public Access can be found here.

Changelog

  • 18 March 2022 - Updated severity and query.
  • 31 October 2022 - Updated severity.
PREVIEWING: aliciascott/DOCS-9725-Cloudcraft