-
Notifications
You must be signed in to change notification settings - Fork 388
/
Copy pathbaseline_of_open_s3_bucket_decommissioning.yml
64 lines (63 loc) · 4.34 KB
/
baseline_of_open_s3_bucket_decommissioning.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
name: Baseline Of Open S3 Bucket Decommissioning
id: 984e9022-b87b-499a-a260-8d0282c46ea2
version: 1
date: '2025-02-12'
author: Jose Hernandez
type: Baseline
status: production
description: |-
The following analytic identifies S3 buckets that were previously exposed to the public and have been subsequently deleted. It leverages AWS CloudTrail logs to track the lifecycle of potentially risky S3 bucket configurations. This activity is crucial for ensuring that public access to sensitive data is properly managed and decommissioned. By monitoring these events, organizations can ensure that exposed buckets are promptly deleted, reducing the risk of unauthorized access. Immediate investigation is recommended to confirm the proper decommissioning of these buckets and to ensure no sensitive data remains exposed. This baseline detection creates a lookup table of decommissioned buckets.csv and their associated events which can be used by detection searches to trigger alerts when decommissioned buckets are detected.
The following detections searches leverage this baseline search and the lookup table.
* Detect DNS Query to Decommissioned S3 Bucket
* Detect Web Access to Decommissioned S3 Bucket
search: '`cloudtrail` eventSource="s3.amazonaws.com" (eventName=DeleteBucket OR eventName=PutBucketPolicy OR eventName=PutBucketWebsite)
| spath input=_raw path=requestParameters.bucketName output=bucketName
| spath input=_raw path=requestParameters.Host output=host
| spath input=_raw path=requestParameters.bucketPolicy.Statement{} output=statements
| spath input=statements output=principal path=Principal
| spath input=statements output=effect path=Effect
| spath input=statements output=action path=Action
| stats values(eventName) as events,
values(requestParameters.bucketPolicy) as policies,
values(principal) as principals,
values(effect) as effects,
values(action) as actions,
min(_time) as firstEvent,
max(_time) as lastEvent,
values(userIdentity.accountId) as accountIds,
values(userIdentity.arn) as userARNs,
values(awsRegion) as awsRegions,
values(host) as hosts
by bucketName
| eval isPublicPolicy = if( (mvfind(principals, "\\*")>=0) AND (mvfind(effects, "Allow")>=0) AND (mvfind(actions, "s3:GetObject")>=0), 1, 0)
| eval isWebsite = if(mvfind(events, "PutBucketWebsite")>=0, 1, 0)
| eval is_open = if(isPublicPolicy==1 OR isWebsite==1, 1, 0)
| where is_open==1 AND (mvfind(events, "DeleteBucket")>=0)
| eval policy_details = if(isPublicPolicy==1, "Policy: Principal=" . mvjoin(principals, ", ") . " Effect=" . mvjoin(effects, ", ") . " Action=" . mvjoin(actions, ", "), "No Public Policy")
| eval website_details = if(isWebsite==1, "Static Website Enabled", "No Website Hosting")
| table bucketName, hosts, firstEvent, lastEvent, events, policy_details, website_details, accountIds, userARNs, awsRegions
| outputlookup append=true decommissioned_buckets | `baseline_of_open_s3_bucket_decommissioning_filter`'
how_to_implement: To implement this baseline, you need to have AWS CloudTrail logs being ingested into Splunk with the AWS Add-on properly configured. The search looks for S3 bucket events related to bucket policies, website hosting configuration, and bucket deletion. The results are stored in a lookup KVStore named decommissioned_buckets which tracks the history of deleted buckets that were previously exposed to the public.
known_false_positives: Some buckets may be intentionally made public for legitimate business purposes before being decommissioned. Review the policy_details and website_details fields to understand the nature of the public access that was configured.
references:
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
- https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/
- https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/
tags:
analytic_story:
- AWS S3 Bucket Security Monitoring
- Suspicious AWS S3 Activities
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
detections:
- Detect DNS Query to Decommissioned S3 Bucket
- Detect Web Access to Decommissioned S3 Bucket
security_domain: audit
deployment:
scheduling:
cron_schedule: 0 2 * * 0
earliest_time: -30d@d
latest_time: -1d@d
schedule_window: auto