LoFP / legitimate ci/cd pipelines, infrastructure tooling, or configuration management systems may retrieve secret files from s3 as part of their normal operation. validate the calling identity, user agent, and source ip against known automation accounts and expected access patterns.

Techniques

• T1530
• T1552

Sample rules

AWS S3 Credential File Retrieved from Bucket

• source: elastic
• technicques:
  • T1530
  • T1552

Description

Detects successful S3 GetObject calls targeting high-value credential and secret files commonly stored in S3 buckets: AWS credentials files (".aws/credentials", “.aws/config”), SSH private keys (“id_rsa”, “id_ed25519”, “id_ecdsa”, “id_dsa”), environment files (".env"), PEM and PuTTY key files, and other private key patterns. These file types are high-yield targets for credential harvesting from S3. The rule excludes AWSService identity type to suppress S3 replication, Glacier restore, and other AWS-internal data movement that legitimately reads these files.

Detection logic

data_stream.dataset: "aws.cloudtrail" and
    event.provider: "s3.amazonaws.com" and
    event.action: "GetObject" and
    event.outcome: "success" and
    aws.cloudtrail.flattened.request_parameters.key: (
        */.aws/credentials or
        */.aws/config or
        */id_rsa or
        */id_ed25519 or
        */id_ecdsa or
        */id_dsa or
        */.env or
        */.env.* or
        *.ppk or
        *.pem or
        *.key or
        *private_key* or
        */.ssh/authorized_keys
    ) and
    not aws.cloudtrail.user_identity.type: "AWSService"