LoFP / legitimate changes to share an s3 bucket with an external account may be identified as false positive but are not best practice.

Techniques

• T1537

Sample rules

AWS S3 Bucket Policy Added to Share with External Account

• source: elastic
• technicques:
  • T1537

Description

Identifies an AWS S3 bucket policy change to share permissions with an external account. Adversaries may attempt to backdoor an S3 bucket by sharing it with an external account. This can be used to exfiltrate data or to provide access to other adversaries. This rule identifies changes to a bucket policy via the PutBucketPolicy API call where the policy includes an Effect=Allow statement that does not contain the AWS account ID of the bucket owner.

Detection logic

any where event.dataset == "aws.cloudtrail"
    and event.provider == "s3.amazonaws.com"
    and event.action == "PutBucketPolicy" and event.outcome == "success"
    and stringContains(aws.cloudtrail.request_parameters, "Effect=Allow")
    and not stringContains(aws.cloudtrail.request_parameters, aws.cloudtrail.recipient_account_id)