Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Amazon S3 Server Access

Amazon S3 Server Access
Amazon S3 Server Access icon

Coralogix Extension For Amazon S3 Server Access Includes:

Alerts - 8

Stay on top of Amazon S3 Server Access key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Bucket versioning configuration Changed

This alert triggers when the S3 bucket versioning configuration is changed. Bucket versioning is a means of keeping multiple variants of an object in the same bucket. You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. With versioning you can recover easily from both unintended user actions and application failures. Server access logging provides detailed records for the requests that are made to an Amazon S3 bucket. Please see the below link for more details on the Amazon S3 server access logging: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html Impact A threat actor can disable versioning on an S3 bucket to prevent the bucket owner from restoring the deleted data from the S3 bucket. Mitigation Check if the user is aware of this action and if it is legitimate. If bucket versioning is disabled, revert the action and investigate further for any suspicious activities in the network. Mitre Tactic: TA0005 Mitre Technique: T1562

Excessive Objects Deleted by a Source

This alert detects when a specific source makes multiple successful requests for object deletions from an Amazon S3 bucket.nServer access logging provides detailed records for the requests that are made to an Amazon S3 bucket. Please see the below link for more details on the Amazon S3 server access logging: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html Impact A threat actor may delete data from an S3 bucket to impact the business operations of an organization. Mitigation Check if the activity is legitimate and if the user is aware of it. If not, investigate further. Also, administrators should make sure that they back up their data regularly. MITRE Tactic: TA0040 MITRE Technique: T1485

No logs from Amazon S3 Server Access

This rule detects if there are no logs in the last 4 hours for Amazon S3 Server Access in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Excessive HTTP Error Codes Generated

This alert triggers when a specific source makes multiple requests which results in the excessive HTTP error codes being generated. The requests could be anything such as uploading objects to the S3 bucket, downloading objects from the bucket, deleting objects from the bucket, scanning activity if the bucket is open to the public, etc. Server access logging provides detailed records for the requests that are made to an Amazon S3 bucket. Please see the below link for more details on the Amazon S3 server access logging: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html Impact A threat actor that does not have adequate privileges and makes multiple requests to an S3 bucket for different operations, may result in multiple 'AccessDenied' error codes within a short interval of time. Mitigation Check if the user is aware of the activity. If not, investigate further for any suspicious activities in the network. If the error code persists, administrators should make sure that the user making requests has adequate privileges to carry out the operations. Additionally, if the remote IP is scanning the bucket, investigate the IPs, and the activity and if necessary, block the IPs. Check the field 'error_code' value in the logs to get more insight. MITRE Tactic: TA0006 MITRE Technique: T1110

Insecure Access to S3 Bucket Objects

This alert triggers if the request made by the client to an S3 bucket is HTTP and not HTTPS. Impact When Amazon S3 buckets are not configured to strictly require SSL connections, the communication between the buckets and their clients (users and applications) is vulnerable to eavesdropping and Man-in-the-Middle (MITM) attacks. Mitigation If the request is not over HTTPS/TLS, investigate if the request is legit and the IP making the request is not malicious. Also, configure S3 buckets to accept connection requests only over HTTPS/TLS. MITRE Tactic: TA0011 MITRE Technique: T1071 MITRE Sub-Technique: 001

Unauthenticated/Anonymous Requests Observed

This alert triggers when requests made to the Amazon S3 bucket are unauthenticated or anonymous. For such requests made, the value of the 'requester' field is '-' or 'anonymous'. On the other hand, if the user is an IAM user, the Requester field returns the IAM user name of the requester and the AWS root account of the IAM user. Server access logging provides detailed records for the requests that are made to an Amazon S3 bucket. Please see the below link for more details on the Amazon S3 server access logging: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html Impact An internal or external threat actor may make unauthenticated requests to the S3 buckets to remain anonymous. Mitigation Check if the request is legitimate and if the user is aware of it. If not, investigate further for any suspicious activities. Administrators should make sure that anonymous/unauthenticated requests to S3 are not allowed to follow security best practices. Please see the below link for more details: https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html MITRE Tactic: TA0008 MITRE Technique: T1210

Request required an ACL for authorization

This alert triggers whenever a request requires an access control list (ACL) for authorization. If the request requires an ACL for authorization, the string is Yes. If no ACLs were required, the string is -. Impact If the ACL is enabled, the control ownership of the objects is given to the object owner and then they can transfer the ownership to any malicious actors, thus giving them permission to upload, delete, and modify objects on your bucket. Mitigation AWS recommends disabling ACLs, except in unusual circumstances where you must control access for each object individually. To disable ACLs and take ownership of every object in your bucket, apply the bucket owner-enforced setting for S3 Object Ownership. Please see below for more details: https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 010

Requests authenticated using signature version 2

This alert triggers when signature version 2 (SigV2) is used to authenticate a request. Impact Amazon S3 offers you the ability to identify what API signature version was used to sign a request. It is important to identify if any of your workflows are utilizing Signature Version 2 signing and upgrading them to use Signature Version 4 to prevent impact on your business. Mitigation As per AWS documentation, Amazon S3 support for Signature Version 2 will be turned off (deprecated). After that, Amazon S3 will no longer accept requests that use Signature Version 2, and all requests must use Signature Version 4 signing. So, it is recommended to accept authentication requests that use signature version 2. Please see below for more details: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-s3-access-logs-to-identify-requests.html#using-s3-access-logs-to-identify-sigv2-requests MITRE Tactic: TA0001 MITRE Technique: T1190

Integration

Learn more about Coralogix's out-of-the-box integration with Amazon S3 Server Access in our documentation.

Read More
Schedule Demo