{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-command-line-interface/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon S3","AWS Command Line Interface"],"_cs_severities":["medium"],"_cs_tags":["aws","s3","cloud","data-breach"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis brief focuses on detecting the creation of publicly accessible Amazon S3 buckets using the AWS Command Line Interface (CLI). While not inherently malicious, creating open S3 buckets can lead to significant data breaches if sensitive information is stored within them. Monitoring AWS CLI usage for S3 bucket creation is crucial for preventing unintentional exposure of data. This activity is often part of a larger attack chain, where adversaries attempt to identify and exploit misconfigured cloud resources for data theft or other malicious purposes. Understanding how these buckets are created and configured allows defenders to identify and remediate potential risks before they are exploited.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to an AWS account, potentially through compromised credentials or a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eAttacker uses the AWS CLI to interact with the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the \u003ccode\u003eaws s3api create-bucket\u003c/code\u003e command to create a new S3 bucket.\u003c/li\u003e\n\u003cli\u003eThe attacker then uses the \u003ccode\u003eaws s3api put-bucket-acl\u003c/code\u003e command to set the bucket's Access Control List (ACL) to \u003ccode\u003epublic-read\u003c/code\u003e or \u003ccode\u003epublic-read-write\u003c/code\u003e, making the bucket publicly accessible.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker may use \u003ccode\u003eaws s3api put-bucket-policy\u003c/code\u003e to configure a bucket policy that allows public access.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads data to the publicly accessible S3 bucket.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to exfiltrate data from other AWS resources into the newly created, open S3 bucket before final exfiltration.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to exfiltrate sensitive data or use the open bucket as a staging ground for further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of creating open S3 buckets can be severe. Data stored in publicly accessible buckets can be easily accessed by anyone on the internet, leading to data breaches, compliance violations, and reputational damage. Depending on the data stored, this can affect thousands or millions of users. Organizations in all sectors, including healthcare, finance, and government, are potential targets. A successful attack can result in the loss of sensitive personal information, financial data, intellectual property, and other confidential information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026quot;Detect New Open S3 Buckets Over AWS CLI\u0026quot; Sigma rule to your SIEM and tune for your environment to detect suspicious bucket creation activity.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003eCreateBucket\u003c/code\u003e and \u003ccode\u003ePutBucketAcl\u003c/code\u003e events to detect S3 bucket creation and ACL modifications.\u003c/li\u003e\n\u003cli\u003eImplement and enforce least privilege IAM policies to restrict who can create and modify S3 buckets, and limit the ability to make them public.\u003c/li\u003e\n\u003cli\u003eRegularly audit S3 bucket permissions to identify and remediate any publicly accessible buckets.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-open-s3-buckets/","summary":"Detection of S3 bucket creation via AWS CLI which might lead to data exposure and unauthorized access.","title":"AWS CLI Activity Detection for Open S3 Bucket Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-open-s3-buckets/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon S3","AWS Command Line Interface","AWS Identity and Access Management"],"_cs_severities":["high"],"_cs_tags":["aws","s3","cloudtrail","misconfiguration","data-breach"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis brief focuses on the detection of publicly accessible Amazon S3 buckets created via the AWS Command Line Interface (CLI). The creation of public S3 buckets is a common security misconfiguration that can lead to sensitive data exposure. This activity is detected by analyzing AWS CloudTrail logs for \u003ccode\u003ePutBucketAcl\u003c/code\u003e events where the bucket's access control list (ACL) is configured to grant read, write, or full control to \u0026quot;AuthenticatedUsers\u0026quot; or \u0026quot;AllUsers.\u0026quot; This activity is particularly important to monitor because it represents a direct path for unauthorized access to data stored within the S3 bucket. The detection logic is based on the Splunk Security Content analytic \u0026quot;Detect New Open S3 Buckets over AWS CLI\u0026quot; (version 9, published April 15, 2026). Successfully exploited public buckets can lead to data exfiltration, data corruption, or other malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to valid AWS credentials, potentially through compromised user accounts or leaked API keys.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI to create a new S3 bucket using the \u003ccode\u003eaws s3api create-bucket\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe attacker then uses the \u003ccode\u003eaws s3api put-bucket-acl\u003c/code\u003e command to modify the bucket's Access Control List (ACL).\u003c/li\u003e\n\u003cli\u003eIn the \u003ccode\u003eput-bucket-acl\u003c/code\u003e command, the attacker sets permissions to grant read, write, or full control to \u0026quot;AuthenticatedUsers\u0026quot; or \u0026quot;AllUsers\u0026quot; by manipulating the \u003ccode\u003ex-amz-grant-read\u003c/code\u003e, \u003ccode\u003ex-amz-grant-write\u003c/code\u003e, and \u003ccode\u003ex-amz-grant-full-control\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003ePutBucketAcl\u003c/code\u003e event, capturing details of the user, bucket name, and ACL configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads sensitive data to the newly created, publicly accessible S3 bucket.\u003c/li\u003e\n\u003cli\u003eUnauthorized users or automated bots discover the public S3 bucket and access the exposed data.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the publicly available data, or modifies/corrupts data within the bucket.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCreation of publicly accessible S3 buckets can lead to severe data breaches. Unauthorized access to sensitive data stored in these buckets can result in financial loss, reputational damage, and legal liabilities. The number of affected individuals or organizations can vary widely, depending on the type and amount of data exposed. Public buckets can be indexed by search engines, further increasing the risk of unauthorized access. Data exfiltration or corruption can severely disrupt business operations and erode customer trust.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Public AWS S3 Bucket Creation via CLI\u0026quot; to your SIEM and tune for your environment to detect the described activity based on CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eReview and harden IAM policies to restrict the ability of users and roles to modify S3 bucket ACLs, preventing unintended public access.\u003c/li\u003e\n\u003cli\u003eRegularly audit existing S3 buckets to identify and remediate any publicly accessible buckets, using AWS Trusted Advisor or similar tools.\u003c/li\u003e\n\u003cli\u003eImplement automated monitoring and alerting for S3 bucket ACL changes using AWS CloudWatch Events and Lambda functions.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege by granting only necessary permissions to users and roles, minimizing the risk of accidental or malicious misconfiguration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-s3-public-bucket/","summary":"An AWS user creates a publicly accessible S3 bucket by using the AWS CLI to set permissive ACLs, potentially leading to unauthorized data access and data breaches.","title":"Detection of Public AWS S3 Bucket Creation via CLI","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-s3-public-bucket/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS Command Line Interface","version":"https://jsonfeed.org/version/1.1"}