
Summary
This detection rule monitors Amazon S3 data access through VPC endpoints specifically when the access originates from external/public IP addresses. The presence of such access may indicate potential data exfiltration attempts, as legitimate access should typically come from internal or authorized network sources. The rule is based on AWS CloudTrail logs and includes configurable options, allowing users to specify particular S3 operations they want to monitor. Upon triggering the detection, a runbook provides a systematic approach for investigating the event, including verifying the accessing IP and reviewing access patterns. This helps in discerning legitimate actions from potentially malicious activities that warrant access termination and reinforcement of security measures such as bucket and VPC endpoint policies.
Categories
- Cloud
- AWS
- Network
Data Sources
- Cloud Service
- Cloud Storage
- Network Traffic
- Logon Session
Created: 2025-03-28