LoFP / administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.

Techniques

• t1580
• t1619

Sample rules

Potential Bucket Enumeration on AWS

• source: sigma
• technicques:
  • t1580
  • t1619

Description

Looks for potential enumeration of AWS buckets via ListBuckets.

Detection logic

condition: selection and not filter
filter:
  userIdentity.type: AssumedRole
selection:
  eventName: ListBuckets
  eventSource: s3.amazonaws.com