AWS S3 Bucket ACL made public
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when an S3 bucket policy is made public.
Strategy
This rule lets you monitor these CloudTrail API calls to detect when an AWS bucket is made public:
This rule inspects the @requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI array to determine if either of the strings are contained:
http://acs.amazonaws.com/groups/global/AuthenticatedUsershttp://acs.amazonaws.com/groups/global/AllUsers
A match of either of these string indicates the S3 bucket policy is made public.
Triage and response
- Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.
- Contact the principal owner and see if this was an API call that was made by the user.
- If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.
- Rotate the credentials.
- Investigate if the same credentials made other unauthorized API calls.
Changelog
7 April 2022 - Updated rule and signal message.
