{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/public/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon S3"],"_cs_severities":["critical"],"_cs_tags":["aws","s3","bucket","acl","public","misconfiguration","data-breach"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief addresses the risk associated with misconfigured Amazon S3 buckets. Specifically, it focuses on the \u0026quot;PutBucketAcl\u0026quot; operation, which controls access permissions for S3 buckets. An adversary or insider with sufficient AWS privileges can configure an S3 bucket to be publicly accessible by granting read, write, or full control permissions to either \u0026quot;AllUsers\u0026quot; or \u0026quot;AuthenticatedUsers\u0026quot; AWS groups. This misconfiguration can lead to sensitive data exposure, unauthorized modification of bucket contents, or even complete compromise of the data stored within the S3 bucket. This activity is detected through analysis of AWS CloudTrail logs, providing a mechanism for identifying and remediating overly permissive S3 bucket configurations. This analytic became available on 2026-04-15.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises an AWS account or uses a compromised IAM user with sufficient privileges (s3:PutBucketAcl).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI, API, or console to create a new S3 bucket using a command such as \u003ccode\u003eaws s3api create-bucket --bucket \u0026lt;bucket-name\u0026gt; --region \u0026lt;region\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI, API, or console to modify the bucket's access control list (ACL) with \u003ccode\u003eaws s3api put-bucket-acl --bucket \u0026lt;bucket-name\u0026gt; --acl public-read\u003c/code\u003e or similar. This grants public access.\u003c/li\u003e\n\u003cli\u003eThe PutBucketAcl event is logged by AWS CloudTrail.\u003c/li\u003e\n\u003cli\u003eIf the bucket is exposed to full control, the attacker can modify the objects within.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads malicious content (e.g., malware, phishing pages) to the S3 bucket.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes links to the malicious content, leveraging the trust associated with AWS.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data, modifies existing data, or uses the bucket as a staging ground for further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA publicly accessible S3 bucket can have severe consequences. Sensitive data, including personally identifiable information (PII), financial records, or proprietary data, can be exposed to unauthorized individuals. This can lead to data breaches, compliance violations, reputational damage, and financial losses. Attackers can also modify or delete data, disrupting business operations or launching further attacks. The scale of impact depends on the sensitivity and volume of data stored in the compromised S3 bucket.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect \u003ccode\u003ePutBucketAcl\u003c/code\u003e events granting public access to S3 buckets based on the \u003ccode\u003ecloudtrail\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of public S3 bucket creation or modification, focusing on the \u003ccode\u003euser_arn\u003c/code\u003e and \u003ccode\u003ebucketName\u003c/code\u003e to assess legitimacy.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege by reviewing and tightening IAM policies to restrict the ability to modify S3 bucket ACLs using s3:PutBucketAcl to only authorized users and roles.\u003c/li\u003e\n\u003cli\u003eImplement automated checks using tools like AWS Config or AWS Trusted Advisor to continuously monitor S3 bucket permissions and identify publicly accessible buckets, remediating automatically where possible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-new-open-s3-buckets/","summary":"Detection of publicly accessible AWS S3 buckets created via PutBucketAcl operations, potentially leading to unauthorized data access, tampering, or exfiltration.","title":"AWS S3 Bucket Public Access Configuration","url":"https://feed.craftedsignal.io/briefs/2024-01-new-open-s3-buckets/"}],"language":"en","title":"CraftedSignal Threat Feed - Public","version":"https://jsonfeed.org/version/1.1"}