Identifies bursts of read-only S3 control-plane API activity from a single AWS principal over a single source IP, where the same actor reads bucket posture across many buckets in a short interval. The rule triggers when, within a 10-second window (Esql.time_window_date_trunc), the same aws.cloudtrail.user_identity.arn and source.ip call a set of read-only S3 control APIs (GetBucketAcl, GetBucketPublicAccessBlock, GetBucketPolicy, GetBucketPolicyStatus, GetBucketVersioning) against more than 15 distinct aws.cloudtrail.resources.arn values. It excludes AWSService principals (to ignore service accounts) and requires that session_credential_from_console is NULL, ensuring programmatic sessions rather than Management Console activity. Both aws.cloudtrail.user_identity.arn and aws.cloudtrail.resources.arn fields must be populated to avoid skew from missing data. When triggered, the rule surfaces multiple fields for investigation (bucket ARNs, keys, user identity data, source IP, user agent, account, region, etc.). This pattern is commonly associated with automated reconnaissance, CSPM-like discovery, or post-compromise enumeration, where an actor maps bucket posture across many buckets quickly. The rule maps to MITRE ATT&CK techniques for Cloud Service Discovery (T1526), Cloud Infrastructure Discovery (T1580), Cloud Storage Object Discovery (T1619) and Data from Cloud Storage (T1530), under the Discovery and Collection tactics. False positives can arise from legitimate security scanners, CSPM/inventory tools, or CI/CD validation jobs that enumerate bucket settings across many buckets. Recommended mitigations include least-privilege for S3 read APIs, credential rotation, restricting the source IP, and correlating with follow-on events (ListBuckets, GetObject, PutBucketPolicy, AssumeRole).