S3 Bucket Public Exposure via Wildcard Principal Policy
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects S3 bucket policy changes granting public access via Principal:* wildcard.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "All S3 Bucket Activity" AND (LOG_EVENT_NAME = "PutBucketPolicy" AND REQUESTPARAMETERS contains "Principal:*")
select Action1.CALLER,Action1.SOURCE,Action1.LOG_EVENT_NAME,Action1.EVENTSOURCE,Action1.IPADDRESS,Action1.BUCKETNAME,Action1.REQUESTPARAMETERS
Detection
Execution Mode
realtime
Log Sources
AWS


