{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/s3/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS S3","AWS CloudTrail"],"_cs_severities":["low"],"_cs_tags":["aws","s3","cloudtrail","discovery","enumeration","reconnaissance"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief covers suspicious activity related to the rapid enumeration of AWS S3 buckets. The activity is characterized by an AWS principal invoking read-only S3 control-plane APIs from the same source IP address within a short timeframe. This pattern is often associated with reconnaissance efforts, security scanning tools, or post-compromise enumeration activities. The behavior is similar to that observed with CSPM tools and by threat actors like Team PCP. The detection specifically excludes AWS service principals and requires programmatic-style sessions (i.e., not Management Console credentials). It focuses on scenarios where resource and identity fields are populated to avoid skewed results from null values. The detection threshold is set to greater than 15 distinct \u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e values within a 10-second window.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS environment using compromised credentials or through an exposed IAM role. (T1530)\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to AWS using the obtained credentials, creating a programmatic session.\u003c/li\u003e\n\u003cli\u003eThe attacker issues a series of \u003ccode\u003eGetBucketAcl\u003c/code\u003e, \u003ccode\u003eGetBucketPublicAccessBlock\u003c/code\u003e, \u003ccode\u003eGetBucketPolicy\u003c/code\u003e, \u003ccode\u003eGetBucketPolicyStatus\u003c/code\u003e, and \u003ccode\u003eGetBucketVersioning\u003c/code\u003e API calls to S3.\u003c/li\u003e\n\u003cli\u003eThese API calls are directed towards multiple distinct S3 buckets within a short timeframe (10 seconds).\u003c/li\u003e\n\u003cli\u003eThe attacker collects information about the bucket\u0026rsquo;s access control lists (ACLs), public access blocks, policies, versioning status, and other metadata. (T1526, T1580, T1619)\u003c/li\u003e\n\u003cli\u003eThe collected information is analyzed to identify publicly accessible buckets, misconfigurations, or sensitive data storage locations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses identified vulnerabilities to exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts lateral movement within the AWS environment, leveraging the discovered information to compromise other resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of S3 buckets can lead to the discovery of sensitive data, misconfigurations, and publicly accessible resources. This can result in data breaches, unauthorized access, and further compromise of the AWS environment. The enumeration allows an attacker to map out the S3 storage landscape, identifying targets for data exfiltration or privilege escalation. The rapid nature of the enumeration suggests automated scanning or reconnaissance, potentially indicating a larger attack campaign.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect rapid S3 bucket enumeration activity based on AWS CloudTrail logs, adjusting the threshold of 15 distinct buckets to suit your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the source IP address (\u003ccode\u003esource.ip\u003c/code\u003e), AWS principal ARN (\u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e), and the list of accessed buckets (\u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview IAM policies associated with the identified principal to ensure least privilege for S3 read APIs.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for related events, such as \u003ccode\u003eListBuckets\u003c/code\u003e, \u003ccode\u003eGetObject\u003c/code\u003e, \u003ccode\u003ePutBucketPolicy\u003c/code\u003e, \u003ccode\u003eAssumeRole\u003c/code\u003e, or IAM changes, occurring within ±30 minutes of the detected enumeration activity.\u003c/li\u003e\n\u003cli\u003eImplement network-level restrictions on the source IP address if it is not authorized to perform S3 enumeration.\u003c/li\u003e\n\u003cli\u003eDocument approved scanning accounts and add user agent filters to the provided Sigma rule to reduce noise from those identities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T19:43:38Z","date_published":"2026-05-01T19:43:38Z","id":"/briefs/2024-01-aws-s3-bucket-discovery/","summary":"An AWS principal rapidly enumerates S3 bucket posture using read-only APIs, indicative of reconnaissance, scanning, or post-compromise activity.","title":"Rapid Enumeration of AWS S3 Buckets","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-s3-bucket-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["cloud","aws","s3","reconnaissance"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief details detection of rapid enumeration of AWS S3 bucket configurations. The activity is characterized by an AWS principal invoking read-only S3 control-plane APIs across numerous buckets within a short timeframe. This pattern is consistent with automated reconnaissance, security scanning, or post-compromise enumeration. The activity is detected by monitoring AWS CloudTrail logs for specific API calls such as \u003ccode\u003eGetBucketAcl\u003c/code\u003e, \u003ccode\u003eGetBucketPublicAccessBlock\u003c/code\u003e, \u003ccode\u003eGetBucketPolicy\u003c/code\u003e, \u003ccode\u003eGetBucketPolicyStatus\u003c/code\u003e, and \u003ccode\u003eGetBucketVersioning\u003c/code\u003e. The detection logic excludes AWS service principals and sessions using Management Console credentials to reduce false positives. This activity is relevant for defenders as it can signal early-stage reconnaissance by threat actors like Team PCP, or unauthorized data discovery within the AWS environment. The rule uses a threshold of 15 distinct buckets accessed within 10 seconds to identify suspicious behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to AWS credentials, possibly through compromised credentials or misconfigured IAM roles.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the acquired credentials to authenticate to the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or tool that calls multiple S3 APIs (e.g., \u003ccode\u003eGetBucketAcl\u003c/code\u003e, \u003ccode\u003eGetBucketPolicy\u003c/code\u003e) to gather information about S3 buckets.\u003c/li\u003e\n\u003cli\u003eThe tool iterates through a list of buckets, querying the configuration of each.\u003c/li\u003e\n\u003cli\u003eThe attacker collects the responses from the S3 API calls, mapping out bucket names, permissions, and access control lists.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the collected data to identify potentially sensitive data or misconfigured buckets.\u003c/li\u003e\n\u003cli\u003eBased on the findings, the attacker may proceed to exfiltrate data from accessible buckets (T1530).\u003c/li\u003e\n\u003cli\u003eThe attacker may also attempt to modify bucket policies or access controls to gain further access or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful reconnaissance of S3 bucket configurations allows attackers to identify vulnerable buckets, potentially leading to data breaches or unauthorized access to sensitive information. The source material does not provide specific victim counts or sectors. However, the impact can range from exposure of confidential data to full compromise of the AWS environment, depending on the level of access gained and the sensitivity of the data stored in the targeted buckets. Identifying the activity early can prevent further exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect rapid S3 bucket posture API calls (see: \u0026ldquo;AWS S3 Rapid Bucket Enumeration\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eReview IAM policies and enforce least privilege on S3 read APIs to limit the scope of potential reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for the same \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003esource.ip\u003c/code\u003e within approximately ±30 minutes for follow-on patterns such as \u003ccode\u003eListBuckets\u003c/code\u003e, \u003ccode\u003eGetObject\u003c/code\u003e, \u003ccode\u003ePutBucketPolicy\u003c/code\u003e, or \u003ccode\u003eAssumeRole\u003c/code\u003e activities (see Overview).\u003c/li\u003e\n\u003cli\u003eRotate or disable keys for the affected identity, revoke active role sessions where possible, and restrict the source IP at the network layer if it is not authorized (see Overview).\u003c/li\u003e\n\u003cli\u003eWhitelist approved scanning accounts and tune the Sigma rule to reduce noise from those identities (see Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-aws-s3-reconnaissance/","summary":"An AWS principal rapidly enumerates S3 bucket configurations using read-only APIs, potentially indicating reconnaissance activity by security scanners, CSPM tools, or malicious actors performing post-compromise enumeration.","title":"AWS S3 Rapid Bucket Posture API Calls Indicate Reconnaissance","url":"https://feed.craftedsignal.io/briefs/2026-04-aws-s3-reconnaissance/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["minio","s3","metadata-injection","denial-of-service"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA flaw in MinIO\u0026rsquo;s \u003ccode\u003eextractMetadataFromMime()\u003c/code\u003e function allows any authenticated user with \u003ccode\u003es3:PutObject\u003c/code\u003e permission to inject internal server-side encryption (SSE) metadata into objects. This is achieved by sending crafted \u003ccode\u003eX-Minio-Replication-*\u003c/code\u003e headers on a normal PutObject request. The MinIO server incorrectly maps these headers to \u003ccode\u003eX-Minio-Internal-*\u003c/code\u003e encryption metadata without validating if the request is a legitimate replication request. Objects written in this manner contain bogus encryption keys and become permanently unreadable through the S3 API. This vulnerability affects all MinIO releases up to the final release of the \u003ccode\u003eminio/minio\u003c/code\u003e open-source project, specifically versions introduced after commit \u003ccode\u003e468a9fae83e965ecefa1c1fdc2fc57b84ece95b0\u003c/code\u003e (included in \u003ccode\u003eRELEASE.2024-03-30T09-41-56Z\u003c/code\u003e). It was resolved in MinIO AIStor \u003ccode\u003eRELEASE.2026-03-26T21-24-40Z\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the MinIO server with valid credentials having \u003ccode\u003es3:PutObject\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious PutObject request targeting a specific bucket and object key.\u003c/li\u003e\n\u003cli\u003eThe attacker includes \u003ccode\u003eX-Minio-Replication-Server-Side-Encryption-*\u003c/code\u003e headers in the PutObject request.\u003c/li\u003e\n\u003cli\u003eThe attacker omits the \u003ccode\u003eX-Minio-Source-Replication-Request\u003c/code\u003e header, which would normally indicate a legitimate replication request.\u003c/li\u003e\n\u003cli\u003eThe MinIO server\u0026rsquo;s \u003ccode\u003eextractMetadataFromMime()\u003c/code\u003e function incorrectly maps the crafted \u003ccode\u003eX-Minio-Replication-*\u003c/code\u003e headers to \u003ccode\u003eX-Minio-Internal-Server-Side-Encryption-*\u003c/code\u003e headers.\u003c/li\u003e\n\u003cli\u003eThe server writes the object metadata, including the bogus encryption keys, to the object storage.\u003c/li\u003e\n\u003cli\u003eSubsequent GetObject or HeadObject requests for the modified object will fail because the server treats the object as encrypted with non-existent or incorrect keys.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves a targeted denial-of-service, rendering the object permanently unreadable via the S3 API.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability enables a targeted denial-of-service attack. An attacker can selectively corrupt individual objects or entire buckets within a MinIO deployment. Successful exploitation results in permanent data loss, as affected objects become unreadable through the S3 API. This can disrupt critical services relying on the object storage and potentially impact a large number of users if entire buckets are targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to MinIO AIStor version \u003ccode\u003eRELEASE.2026-03-26T21-24-40Z\u003c/code\u003e or later to patch the vulnerability as documented in the \u003ca href=\"https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/\"\u003erelease notes\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement a reverse proxy or load balancer rule to drop or reject any request containing \u003ccode\u003eX-Minio-Replication-Server-Side-Encryption-*\u003c/code\u003e headers that does not also include \u003ccode\u003eX-Minio-Source-Replication-Request\u003c/code\u003e, mitigating the injection path as described in the \u003ca href=\"#workarounds\"\u003eWorkarounds\u003c/a\u003e section.\u003c/li\u003e\n\u003cli\u003eReview and restrict IAM policies to limit \u003ccode\u003es3:PutObject\u003c/code\u003e grants to trusted principals only, reducing the attack surface as noted in the \u003ca href=\"#workarounds\"\u003eWorkarounds\u003c/a\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T22:26:05Z","date_published":"2026-03-27T22:26:05Z","id":"/briefs/2024-05-minio-metadata-injection/","summary":"A vulnerability in MinIO allows authenticated users with `s3:PutObject` permission to inject internal server-side encryption metadata into objects via crafted replication headers, leading to permanent data unreadability.","title":"MinIO SSE Metadata Injection via Replication Headers Leads to Data Unreadability","url":"https://feed.craftedsignal.io/briefs/2024-05-minio-metadata-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IAM","AWS S3"],"_cs_severities":["high"],"_cs_tags":["aws","iam","s3browser","s3","policy","cloudtrail"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe S3Browser utility is being used to create Inline IAM policies within AWS. This activity is flagged as suspicious when the policy includes the default S3 bucket name placeholder value of \u003ccode\u003e\u0026lt;YOUR-BUCKET-NAME\u0026gt;\u003c/code\u003e. This could indicate that the user has not properly configured the policy or is unaware of the implications of using a generic placeholder, potentially granting unintended access to S3 resources. This behavior was observed being used by the threat actor Guivil. The use of S3Browser in this manner poses a risk of privilege escalation, persistence, and unauthorized access to sensitive data stored in S3 buckets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, possibly through compromised credentials or misconfigured IAM roles (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the S3Browser utility to interact with AWS S3 buckets.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create an Inline IAM policy using S3Browser.\u003c/li\u003e\n\u003cli\u003eThe attacker fails to replace the default bucket name placeholder \u003ccode\u003e\u0026lt;YOUR-BUCKET-NAME\u0026gt;\u003c/code\u003e with a specific bucket ARN.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the IAM policy with the default bucket name placeholder, leading to a broad or unintended scope of permissions.\u003c/li\u003e\n\u003cli\u003eThe poorly configured policy is applied to a user, role, or group.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially escalates privileges or gains unauthorized access to S3 resources.\u003c/li\u003e\n\u003cli\u003eThe attacker persists in the environment with the newly created or modified IAM policy.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCreation of an IAM policy with the default bucket name placeholder leaves S3 buckets open to potential unauthorized access. A successful attack could lead to data exfiltration, data modification, or denial of service. The scope of the impact depends on the specific permissions granted within the policy and the resources accessible through the affected IAM user, role, or group.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS IAM S3Browser Templated S3 Bucket Policy Creation\u0026rdquo; to your SIEM and tune for your environment to detect this specific activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003ePutUserPolicy\u003c/code\u003e events are associated with the S3Browser user agent (logsource: aws/cloudtrail).\u003c/li\u003e\n\u003cli\u003eReview existing IAM policies for the presence of the default bucket name placeholder \u003ccode\u003earn:aws:s3:::\u0026lt;YOUR-BUCKET-NAME\u0026gt;/*\u003c/code\u003e (logsource: aws/cloudtrail).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-26-s3browser-iam-policy/","summary":"An AWS IAM policy is created by the S3Browser utility with the default S3 bucket name placeholder, potentially indicating unauthorized access or misconfiguration.","title":"S3Browser IAM Policy Creation with Default Bucket Name","url":"https://feed.craftedsignal.io/briefs/2024-01-26-s3browser-iam-policy/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["S3"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","s3","data_loss"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe deletion of S3 buckets is a critical event to monitor in AWS environments. While legitimate administrative actions may involve bucket deletion, unauthorized or accidental removal of buckets can lead to significant data loss and business disruption. This brief focuses on detecting such events through AWS CloudTrail logs, which record API calls made within the AWS infrastructure. Monitoring for \u003ccode\u003eDeleteBucket\u003c/code\u003e events helps identify potential malicious activity or unintentional misconfigurations that could compromise data availability and integrity. This detection focuses on identifying DeleteBucket API calls, successful or otherwise, within CloudTrail logs to provide early warning of potential data compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account through compromised credentials or a privilege escalation exploit.\u003c/li\u003e\n\u003cli\u003eThe attacker lists existing S3 buckets to identify potential targets using the \u003ccode\u003eListBuckets\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target S3 bucket containing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to delete the target S3 bucket by issuing a \u003ccode\u003eDeleteBucket\u003c/code\u003e API call using the AWS CLI or SDK.\u003c/li\u003e\n\u003cli\u003eCloudTrail logs the \u003ccode\u003eDeleteBucket\u003c/code\u003e event, including the user identity, timestamp, and bucket name.\u003c/li\u003e\n\u003cli\u003eIf successful, the S3 bucket and its contents are permanently deleted.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to remove CloudTrail logs to cover their tracks, using the \u003ccode\u003eDeleteTrail\u003c/code\u003e API call.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of an S3 bucket results in the permanent loss of all data stored within that bucket. This can lead to service disruption, data breaches, and financial losses, especially if the bucket contained critical business data or backups. The impact can range from temporary inconvenience to complete business failure depending on the criticality of the data lost and the organization\u0026rsquo;s backup and recovery capabilities. Without proper monitoring and alerting, an S3 bucket deletion can go unnoticed for extended periods, hindering incident response efforts and potentially exacerbating the damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect S3 bucket deletion events in CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003eDeleteBucket\u003c/code\u003e events to verify their legitimacy and ensure they were authorized by appropriate personnel.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts to prevent unauthorized access and reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eEnforce strict IAM policies and regularly review user permissions to minimize the blast radius of compromised accounts.\u003c/li\u003e\n\u003cli\u003eEnable versioning on S3 buckets to allow for the recovery of accidentally deleted objects, mitigating the impact of data loss.\u003c/li\u003e\n\u003cli\u003eImplement data backup and disaster recovery plans to ensure business continuity in the event of a successful bucket deletion attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:27:00Z","date_published":"2024-01-02T14:27:00Z","id":"/briefs/2024-01-aws-bucket-deletion/","summary":"An AWS S3 bucket deletion event was detected via CloudTrail logs, potentially indicating data loss or unauthorized access attempts.","title":"AWS S3 Bucket Deletion Detected via CloudTrail","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-bucket-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — S3","version":"https://jsonfeed.org/version/1.1"}