S3 Bucket Public Exposure via Wildcard Principal Policy

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects S3 bucket policy changes granting public access via Principal:* wildcard.

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "All S3 Bucket Activity" AND (LOG_EVENT_NAME = "PutBucketPolicy" AND REQUESTPARAMETERS contains "Principal:*") select Action1.CALLER,Action1.SOURCE,Action1.LOG_EVENT_NAME,Action1.EVENTSOURCE,Action1.IPADDRESS,Action1.BUCKETNAME,Action1.REQUESTPARAMETERS

Detection

Execution Mode

realtime

Log Sources

AWS