From 72bed89fdf48f3134d9e2d5974c4898fce240f83 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Mon, 8 Sep 2025 17:06:14 -0400 Subject: [PATCH 1/5] [Rule Tuning] AWS S3 Unauthenticated Bucket Access by Rare Source No query changes as this rule is alerting as expected, however I did change the new terms field to be a combination of an IP address and a particular bucket name. Rather than just alerting for the IP address itself. Perhaps an IP is seen retrieving a doc from a public bucket in the environment (expected behavior) but then it also accesses a file in a bucket meant to be private (unexpected behavior). With new terms only on the IP address we would miss the private bucket access. - added `tls.client.server_name` to new terms field (bucket name) - reduced execution window - removed duplicate IG - added setup note for turning on data events - small edits to description and highlighted fields --- ...nticated_bucket_access_by_rare_source.toml | 56 +++++-------------- 1 file changed, 13 insertions(+), 43 deletions(-) diff --git a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml index ba92d830c75..d4098f3e35a 100644 --- a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml +++ b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["aws"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/09/08" [rule] author = ["Elastic"] @@ -10,12 +10,9 @@ description = """ Identifies AWS CloudTrail events where an unauthenticated source is attempting to access an S3 bucket. This activity may indicate a misconfigured S3 bucket policy that allows public access to the bucket, potentially exposing sensitive data to unauthorized users. Adversaries can specify `--no-sign-request` in the AWS CLI to retrieve objects from an S3 bucket -without authentication. This is a [New -Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule, which means it -will only trigger once for each unique value of the `source.address` field that has not been seen making this API -request within the last 7 days. This field contains the IP address of the source making the request. +without authentication. This is a New Terms rule, which means it will trigger for each unique combination of the source.address and targeted bucket name that has not been seen making this API request. """ -from = "now-9m" +from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail*"] language = "kuery" license = "Elastic License v2" @@ -27,37 +24,6 @@ note = """## Triage and analysis ### Investigating AWS S3 Unauthenticated Bucket Access by Rare Source -Amazon S3 is a scalable storage service used for data storage and retrieval. Misconfigured bucket policies can inadvertently allow public access, posing a risk of unauthorized data exposure. Adversaries exploit this by using unauthenticated requests to access data. The detection rule identifies unusual access attempts from new IP addresses, signaling potential misuse and prompting further investigation. - -### Possible investigation steps - -- Review the CloudTrail logs to identify the specific S3 bucket involved in the unauthenticated access attempt and determine the nature of the accessed data. -- Examine the source IP address from the `source.address` field to assess its origin and determine if it is associated with known malicious activity or if it is a legitimate but misconfigured source. -- Check the S3 bucket policy and permissions to identify any misconfigurations that might allow public access, focusing on policies that include "Principal": "*". -- Investigate the `aws.cloudtrail.user_identity.type` field to confirm if the access was made by an "AWSAccount" or "Unknown" identity, and determine if this aligns with expected behavior. -- Assess the `event.action` field to understand the type of operation performed (e.g., "GetObject", "PutObject") and evaluate the potential impact of the access. -- Review recent changes to the S3 bucket configuration or IAM policies that might have inadvertently allowed public access, and correlate these with the timing of the alert. -- If unauthorized access is confirmed, take immediate steps to secure the bucket by updating the bucket policy to restrict access and consider enabling logging and monitoring for future access attempts. - -### False positive analysis - -- Frequent access from known internal IP addresses may trigger the rule. To manage this, create exceptions for IP addresses that are part of your organization's network and regularly access S3 buckets without authentication. -- Automated scripts or tools used for legitimate business processes might use unauthenticated requests. Identify these scripts and exclude their IP addresses from triggering the rule by adding them to an allowlist. -- Third-party services that require access to your S3 buckets might appear as unauthenticated sources. Verify these services and, if deemed safe, exclude their IP addresses from the rule to prevent false positives. -- Temporary testing environments or development setups might use unauthenticated access for convenience. Ensure these environments are documented and their IP addresses are excluded from the rule to avoid unnecessary alerts. - -### Response and remediation - -- Immediately revoke public access to the affected S3 bucket by updating the bucket policy to restrict access to only authorized users and roles. -- Identify and terminate any unauthorized sessions or connections from the IP addresses flagged in the alert to prevent further unauthorized access. -- Conduct a thorough review of the S3 bucket's access logs to determine the extent of data exposure and identify any sensitive data that may have been accessed. -- Notify the security team and relevant stakeholders about the potential data exposure incident and provide them with details of the affected resources and actions taken. -- Implement additional monitoring and alerting for unusual access patterns to S3 buckets, focusing on unauthenticated access attempts and access from rare IP addresses. -- Escalate the incident to the organization's incident response team for further investigation and to determine if additional containment or remediation actions are necessary. -- Review and update the organization's cloud security policies and access controls to prevent similar misconfigurations in the future, ensuring that all S3 buckets have appropriate access restrictions. - -## Investigating AWS S3 Unauthenticated Bucket Access by Rare Source - This rule detects requests to an AWS S3 bucket by an unauthenticated source, which could indicate a misconfigured bucket policy allowing public access. Adversaries can exploit this misconfiguration by using tools or AWS CLI options like `--no-sign-request` to access bucket contents. The rule triggers when an unauthenticated IP address retrieves an object, and that IP has not been seen in the last 7 days. @@ -127,6 +93,7 @@ references = [ ] risk_score = 47 rule_id = "59bf26c2-bcbe-11ef-a215-f661ea17fbce" +setup = "S3 data events must be enabled in CloudTrail to capture the GetObject, PutObject, ListObjects, and DeleteObject actions. Ensure that the AWS CloudTrail service is configured to log data events for the S3 bucket you'd like to monitor." severity = "medium" tags = [ "Domain: Cloud", @@ -192,23 +159,26 @@ id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [rule.investigation_fields] field_names = [ "@timestamp", - "cloud.account.id", - "aws.cloudtrail.user_identity.type", - "source.address", "user_agent.original", - "aws.cloudtrail.resources.arn", + "source.ip", + "tls.client.server_name" + "aws.cloudtrail.resources.arn", + "aws.cloudtrail.resources.type", + "aws.cloudtrail.resources.account_id" "event.action", "event.outcome", + "cloud.account.id", "cloud.region", - "aws.cloudtrail.request_parameters", + "aws.cloudtrail.request_parameters" ] [rule.new_terms] field = "new_terms_fields" -value = ["source.address"] +value = ["source.address", "tls.client.server_name"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" From c7467c8b0097539ceec17650a923e3e5174d0311 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Mon, 8 Sep 2025 17:06:37 -0400 Subject: [PATCH 2/5] Update collection_s3_unauthenticated_bucket_access_by_rare_source.toml --- ...lection_s3_unauthenticated_bucket_access_by_rare_source.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml index d4098f3e35a..3c5097d7048 100644 --- a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml +++ b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml @@ -165,7 +165,7 @@ field_names = [ "@timestamp", "user_agent.original", "source.ip", - "tls.client.server_name" + "tls.client.server_name", "aws.cloudtrail.resources.arn", "aws.cloudtrail.resources.type", "aws.cloudtrail.resources.account_id" From aababa7566dcada4f56516a3fb91c090c66f1071 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Mon, 8 Sep 2025 17:25:02 -0400 Subject: [PATCH 3/5] Update collection_s3_unauthenticated_bucket_access_by_rare_source.toml --- ...lection_s3_unauthenticated_bucket_access_by_rare_source.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml index 3c5097d7048..c567a28bdb2 100644 --- a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml +++ b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml @@ -173,7 +173,7 @@ field_names = [ "event.outcome", "cloud.account.id", "cloud.region", - "aws.cloudtrail.request_parameters" + "aws.cloudtrail.request_parameters", ] [rule.new_terms] From d24c9960537ffb026cc84cdfc72f9036dd801861 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Mon, 8 Sep 2025 17:33:14 -0400 Subject: [PATCH 4/5] Update collection_s3_unauthenticated_bucket_access_by_rare_source.toml --- ...lection_s3_unauthenticated_bucket_access_by_rare_source.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml index c567a28bdb2..7a0c27e3bcf 100644 --- a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml +++ b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml @@ -9,7 +9,7 @@ author = ["Elastic"] description = """ Identifies AWS CloudTrail events where an unauthenticated source is attempting to access an S3 bucket. This activity may indicate a misconfigured S3 bucket policy that allows public access to the bucket, potentially exposing sensitive data -to unauthorized users. Adversaries can specify `--no-sign-request` in the AWS CLI to retrieve objects from an S3 bucket +to unauthorized users. Adversaries can specify --no-sign-request in the AWS CLI to retrieve objects from an S3 bucket without authentication. This is a New Terms rule, which means it will trigger for each unique combination of the source.address and targeted bucket name that has not been seen making this API request. """ from = "now-6m" From fe4b9b6335c331a11d4a370b3e028b13c70343a6 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Mon, 8 Sep 2025 17:49:13 -0400 Subject: [PATCH 5/5] Update collection_s3_unauthenticated_bucket_access_by_rare_source.toml --- ...lection_s3_unauthenticated_bucket_access_by_rare_source.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml index 7a0c27e3bcf..a7733c8b473 100644 --- a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml +++ b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml @@ -168,7 +168,7 @@ field_names = [ "tls.client.server_name", "aws.cloudtrail.resources.arn", "aws.cloudtrail.resources.type", - "aws.cloudtrail.resources.account_id" + "aws.cloudtrail.resources.account_id", "event.action", "event.outcome", "cloud.account.id",