Product

AWS S3

3 briefs RSS

Suspicious AWS S3 Connection via Script Interpreter

The rule detects script interpreters (osascript, Node.js, Python) making outbound connections to AWS S3 or CloudFront domains on macOS, which may indicate command and control or data exfiltration activity.

AWS S3 +1 command-and-control exfiltration macos

2r 5t 3w ago

low advisory

Rapid Enumeration of AWS S3 Buckets

2 rules 4 TTPs

An AWS principal rapidly enumerates S3 bucket posture using read-only APIs, indicative of reconnaissance, scanning, or post-compromise activity.

AWS S3 +1 aws s3 cloudtrail discovery enumeration reconnaissance

2r 4t May 1, 2026

high advisory

S3Browser IAM Policy Creation with Default Bucket Name

2 rules 3 TTPs

An AWS IAM policy is created by the S3Browser utility with the default S3 bucket name placeholder, potentially indicating unauthorized access or misconfiguration.

AWS IAM +1 aws iam s3browser s3 policy cloudtrail

2r 3t Jan 26, 2024