Anomalous S3 bucket activity from user ARN

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an AWS user performs S3 bucket write activities they do not usually perform.

Strategy

Monitor cloudtrail logs for S3 Data Plane events (@eventCategory:Data) to detect when an AWS User (@userIdentity.arn) is detected performing anomalous S3 Write (@evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*)) API calls.

Triage and response

  1. Determine if user: {{@userIdentity.arn}} should be performing the: {{@evt.name}} API calls.
    • Use the Cloud SIEM - User Investigation dashboard to assess user activity.
  2. If not, investigate the user: {{@userIdentity.arn}} for indicators of account compromise and rotate credentials as necessary.

Changelog

27 October 2022 - Updated tags.

PREVIEWING: may/unit-testing