AWS S3 Bucket Policy Added to Allow Public Access
An AWS S3 bucket policy was modified to grant public access using a wildcard (Principal:"*") statement, potentially allowing data exfiltration or malicious content hosting.
The rule detects modifications to Amazon S3 bucket policies where permissions are extended to all identities, including unauthenticated users, by using a wildcard principal (Principal:"*"). This is achieved via the PutBucketPolicy API call with Effect=Allow. Publicly exposing an S3 bucket is a common cause of sensitive data leaks in AWS environments. Adversaries or misconfigurations can leverage this exposure to exfiltrate data, host malicious content, or collect credentials and logs left in open storage. This rule focuses on policy-based exposure rather than ACL-based or block-public-access configurations and was initially created on 2025/10/30, with the last update on 2026/04/10. It's crucial to review such changes to prevent unauthorized access and potential data breaches.
Attack Chain
- An attacker gains access to an AWS account through compromised credentials or a misconfigured IAM role.
- The attacker identifies an S3 bucket containing sensitive data.
- The attacker modifies the bucket policy using the
PutBucketPolicyAPI call. - The modified bucket policy includes an
Effect=Allowstatement withPrincipal:"*", granting public access. - The attacker (or anyone) can now access the bucket's contents using the S3 API or tools like
aws s3 cp. - The attacker exfiltrates the sensitive data to an external location.
- Alternatively, the attacker uploads malicious content to the publicly accessible bucket.
Impact
Publicly exposing an S3 bucket can lead to significant data breaches. Sensitive data, such as customer information, financial records, or proprietary code, can be exfiltrated by unauthorized individuals. This can result in financial losses, reputational damage, and legal liabilities. The number of affected individuals depends on the data stored in the exposed bucket. Sectors storing sensitive data, such as finance, healthcare, and technology, are particularly vulnerable.
Recommendation
- Deploy the provided Sigma rule to your SIEM to detect unauthorized modifications to S3 bucket policies. Tune the rule to your specific environment to minimize false positives (
index,data_stream.dataset). - Review CloudTrail logs for
PutBucketPolicyevents withEffect=AllowandPrincipal:"*"to identify potentially misconfigured buckets (event.action,aws.cloudtrail.request_parameters). - Implement AWS Config rules
s3-bucket-public-read-prohibitedands3-bucket-public-write-prohibitedto automatically remediate public access issues. - Restrict
s3:PutBucketPolicypermissions to trusted administrative roles to prevent unauthorized policy modifications. - Enable AWS Security Hub or GuardDuty for continuous monitoring of public exposure events.
Detection coverage 2
AWS S3 Bucket Policy Added to Allow Public Access
mediumDetects when an Amazon S3 bucket policy is modified to grant public access using a wildcard (Principal:"*") statement.
AWS S3 DeleteBucketPolicy Followed by PutBucketPolicy with Public Access
highDetects a DeleteBucketPolicy event followed by a PutBucketPolicy event granting public access, indicating a potential attempt to bypass existing protections.
Detection queries are available on the platform. Get full rules →