external account ids or broken automation may trigger this rule. for accessdenied (http 403 forbidden), s3 doesn't charge the bucket owner when the request is initiated outside of the bucket owner's individual aws account or the bucket owner's aws organization.

T1530
t1619
T1657
aws
elastic

Techniques

T1530
T1619
T1657

Sample rules

AWS S3 Bucket Enumeration or Brute Force

source: elastic
technicques:
- T1530
- T1619
- T1657

Description

Identifies a high number of failed S3 operations against a single bucket from a single source address within a short timeframe. This activity can indicate attempts to collect bucket objects or cause an increase in billing to an account via internal “AccessDenied” errors.

Detection logic

  event.dataset: "aws.cloudtrail" and 
  event.provider : "s3.amazonaws.com" and 
  aws.cloudtrail.error_code : "AccessDenied" and 
  tls.client.server_name : *