LoFP / this rule does not differentiate by itself whether the same policy also includes deny statements that restrict public access. if a policy includes both effect=allow and effect=deny with principal:\"*\", this rule may still trigger. such cases should be manually analyzed to verify whether the deny statement effectively negates the public exposure.

Techniques

• T1530
• T1537

Sample rules

AWS S3 Bucket Policy Added to Allow Public Access

• source: elastic
• technicques:
  • T1530
  • T1537

Description

Detects when an Amazon S3 bucket policy is modified to grant public access using a wildcard (Principal:"") statement. This rule analyzes PutBucketPolicy events that include both Effect=Allow and Principal:"" in the request parameters, indicating that permissions were extended to all identities, potentially making the bucket or its contents publicly accessible. Publicly exposing an S3 bucket is one of the most common causes of sensitive data leaks in AWS environments. Adversaries or misconfigurations can leverage this exposure to exfiltrate data, host malicious content, or collect credentials and logs left in open storage.

Detection logic

info where event.dataset == "aws.cloudtrail"
    and event.provider == "s3.amazonaws.com"
    and event.action == "PutBucketPolicy" 
    and event.outcome == "success"
    and stringContains(aws.cloudtrail.request_parameters, "Effect=Allow")
    and stringContains(aws.cloudtrail.request_parameters, "Principal=\\*")