S3 Bucket Permissions Modified

Overview

This detector monitors CloudTrail for events that indicate that the permissions for an S3 bucket have been modified.

There are multiple bucket-level permissions that may apply to an S3 bucket:

The S3 Block Public Access feature can be configured to block public access in multiple ways:
- Directly restrict access to a bucket to only AWS services and authorized users within the bucket owner's account
- Reject calls to set bucket policies that allow public access
- Reject calls to set ACLs that allow public access
- Ignore ACLs that allow public access
The Bucket Policy can permit or deny access to read, modify, and delete the configuration of an S3 bucket as well as objects within the bucket.
The Bucket Access Control List (ACL) can permit or deny access to read, modify, and delete objects within the bucket. Bucket ACLs can also permit or deny modifications of bucket and object ACLs.

The following CloudTrail events can trigger this detector:

The setting for blocking public access on this bucket was modified (CloudTrail event: 'PutBucketPublicAccessBlock')
The bucket's policy was created, modified, or replaced (CloudTrail event: 'PutBucketPolicy')
The bucket's policy was deleted (CloudTrail event: 'DeleteBucketPolicy')
The bucket's access control list (ACL) was created, updated, or replaced (CloudTrail event: 'PutBucketAcl')

A change to the permissions for an S3 bucket could indicate an attacker is attempting data exfiltration, possibly to another AWS account.

AWS