The listed S3 bucket has a high chance of being compromised based on recent activities in AWS GuardDuty and the present S3 bucket configuration. The threat rule checks for a combination of at least one GuardDuty S3 bucket finding for unauthorized access and data exfiltration/manipulation with at least two or more native findings for the present S3 configuration that relate to network access, logging, versioning, bucket policy and encryption. Native S3 findings are based on the best practices established by current compliance frameworks, so correlating them with GuardDuty findings means the given activity has a high chance to be a malicious and needs a proper investigation.
Follow these instructions to ensure future activity is appropriately monitored on your S3 buckets:
Follow these instructions to determine if the S3 bucket activity is malicious:
If the access was authorized, you can ignore the finding. If you determine that your S3 data has been exposed or accessed by an unauthorized party review the following S3 security recommendations to tighten permissions and restrict access. Appropriate remediation solutions depend on the needs of your specific environment.
| Framework | Control # | Control description |
|---|---|---|
| MITRE ATT&CK Cloud ⧉ | Collection-T1530 | Adversaries may access data objects from improperly secured cloud storage. Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems. Misconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information. Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls. |
| MITRE ATT&CK Cloud ⧉ | Collection-T1530 | Adversaries may access data objects from improperly secured cloud storage. Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems. Misconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information. Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls. |
| MITRE ATT&CK Cloud ⧉ | Exfiltration-T1537 | Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection. A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces. Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts. |
| MITRE ATT&CK Cloud ⧉ | Exfiltration-T1537 | Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection. A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces. Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts. |
Check out these link for more information about remediating security issues discovered by GuardDuty