LoFP / valid usage of s3 browser with accidental creation of default inline iam policy without changing default s3 bucket name placeholder value

Techniques

• t1059
• t1059.009
• t1078
• t1078.004

Sample rules

AWS IAM S3Browser Templated S3 Bucket Policy Creation

• source: sigma
• technicques:
  • t1059
  • t1059.009
  • t1078
  • t1078.004

Description

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of “”.

Detection logic

condition: selection
selection:
  eventName: PutUserPolicy
  eventSource: iam.amazonaws.com
  requestParameters|contains|all:
  - '"arn:aws:s3:::<YOUR-BUCKET-NAME>/*"'
  - '"s3:GetObject"'
  - '"Allow"'
  userAgent|contains: S3 Browser