<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Public - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/public/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/public/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS S3 Bucket Public Access Configuration</title><link>https://feed.craftedsignal.io/briefs/2024-01-new-open-s3-buckets/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-new-open-s3-buckets/</guid><description>Detection of publicly accessible AWS S3 buckets created via PutBucketAcl operations, potentially leading to unauthorized data access, tampering, or exfiltration.</description><content:encoded><![CDATA[<p>This threat brief addresses the risk associated with misconfigured Amazon S3 buckets. Specifically, it focuses on the &quot;PutBucketAcl&quot; operation, which controls access permissions for S3 buckets. An adversary or insider with sufficient AWS privileges can configure an S3 bucket to be publicly accessible by granting read, write, or full control permissions to either &quot;AllUsers&quot; or &quot;AuthenticatedUsers&quot; AWS groups. This misconfiguration can lead to sensitive data exposure, unauthorized modification of bucket contents, or even complete compromise of the data stored within the S3 bucket. This activity is detected through analysis of AWS CloudTrail logs, providing a mechanism for identifying and remediating overly permissive S3 bucket configurations. This analytic became available on 2026-04-15.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker compromises an AWS account or uses a compromised IAM user with sufficient privileges (s3:PutBucketAcl).</li>
<li>The attacker uses the AWS CLI, API, or console to create a new S3 bucket using a command such as <code>aws s3api create-bucket --bucket &lt;bucket-name&gt; --region &lt;region&gt;</code>.</li>
<li>The attacker uses the AWS CLI, API, or console to modify the bucket's access control list (ACL) with <code>aws s3api put-bucket-acl --bucket &lt;bucket-name&gt; --acl public-read</code> or similar. This grants public access.</li>
<li>The PutBucketAcl event is logged by AWS CloudTrail.</li>
<li>If the bucket is exposed to full control, the attacker can modify the objects within.</li>
<li>The attacker uploads malicious content (e.g., malware, phishing pages) to the S3 bucket.</li>
<li>The attacker distributes links to the malicious content, leveraging the trust associated with AWS.</li>
<li>The attacker exfiltrates sensitive data, modifies existing data, or uses the bucket as a staging ground for further attacks.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A publicly accessible S3 bucket can have severe consequences. Sensitive data, including personally identifiable information (PII), financial records, or proprietary data, can be exposed to unauthorized individuals. This can lead to data breaches, compliance violations, reputational damage, and financial losses. Attackers can also modify or delete data, disrupting business operations or launching further attacks. The scale of impact depends on the sensitivity and volume of data stored in the compromised S3 bucket.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to detect <code>PutBucketAcl</code> events granting public access to S3 buckets based on the <code>cloudtrail</code> log source.</li>
<li>Investigate any detected instances of public S3 bucket creation or modification, focusing on the <code>user_arn</code> and <code>bucketName</code> to assess legitimacy.</li>
<li>Enforce the principle of least privilege by reviewing and tightening IAM policies to restrict the ability to modify S3 bucket ACLs using s3:PutBucketAcl to only authorized users and roles.</li>
<li>Implement automated checks using tools like AWS Config or AWS Trusted Advisor to continuously monitor S3 bucket permissions and identify publicly accessible buckets, remediating automatically where possible.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>aws</category><category>s3</category><category>bucket</category><category>acl</category><category>public</category><category>misconfiguration</category><category>data-breach</category></item></channel></rss>