Anomalous S3 bucket activity from user ARN
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when an AWS user performs S3 bucket write activities they do not usually perform.
Strategy
Monitor cloudtrail logs for S3 Data Plane events (@eventCategory:Data) to detect when an AWS User (@userIdentity.arn) is detected performing anomalous S3 Write (@evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*)) API calls.
Triage and response
- Determine if user:
{{@userIdentity.arn}} should be performing the: {{@evt.name}} API calls.- Use the Cloud SIEM - User Investigation dashboard to assess user activity.
- If not, investigate the user:
{{@userIdentity.arn}} for indicators of account compromise and rotate credentials as necessary.
Changelog
27 October 2022 - Updated tags.
