How to detect S3 bucket access anomalies

Understanding the threat

Unusual access to an S3 bucket, such as unexpected reads, writes, permission changes, or disabled logging, can indicate data theft or attempts to hide activity. Attackers may use valid or compromised AWS credentials to list, download, or modify sensitive objects. If logging is turned off or access occurs at odd hours, these actions may go unnoticed by administrators. Since S3 buckets often store backups, logs, and customer data, unauthorized access can result in data loss, exposure, and even operational problems.

Log360 collects AWS CloudTrail logs for S3 buckets and monitors bucket activity and configuration changes. It includes built-in detection rules that alert you when access logging is disabled, bucket settings are modified, or stored data is tampered with. This provides visibility into suspicious activity and helps prevent potential data breaches.

Category

Cloud

MITRE ATT&CK® mapping

T1078.004 | Valid Accounts: Cloud Accounts

T1530 | Data from Cloud Storage

Scenario

An application team uses an S3 bucket to store daily data backups. An attacker obtains compromised IAM credentials belonging to a seldom used maintenance account. At 2:45am (outside regular business hours), the attacker disables server-access logging on the backup bucket, lists the bucket's contents, and downloads a large volume of files. Later that same night, they also delete several backup snapshots. Because logging is disabled and the download occurs off hours, their activity goes unnoticed when normal operations resume.

Why this happens

• The attacker seeks to exfiltrate sensitive or valuable data stored in the bucket.
• Disabling logging hides their actions and reduces forensic visibility.
• Using a maintenance account that rarely operates makes their activity look less suspicious.
• Performing their actions off-hours reduces the chance of someone noticing immediately.

What can go wrong

• Sensitive or regulated data can be exfiltrated, potentially causing a compliance or privacy breach.
• Backups or logs may be deleted, impairing data recovery or forensic investigations.
• Bucket configuration changes (access control, ACLs, policies) may expose data publicly or to unauthorized parties.
• Loss of visibility due to disabled access logging may make detection and incident response harder.

Prerequisites

• CloudTrail must be enabled for both data and management events for S3 buckets . This ensures that object-level API calls, such as GET, PUT, DELETE, and ListBucket, as well as bucket configuration changes, are logged.
• Your AWS account must forward CloudTrail logs to Log360 for analysis.
• Logging of S3 server-access configuration changes must be captured so that disabling logging can trigger alerts.
• You should have a baseline of normal bucket usage, including which accounts typically access which buckets, expected access times, and typical object volumes. This baseline helps distinguish legitimate activity from anomalies.

Detecting S3 bucket access anomalies using Log360

• Confirm that CloudTrail is configured to log both data events and management events for all S3 buckets, including object-level actions and configuration changes.
• Forward these CloudTrail logs into Log360 and ensure AWS is properly configured as a log source.
• In Log360, go to Security > Manage Rules > Rule Library. Enable relevant pre-built rules, including AWS S3 Bucket Server Access Logging Disabled, AWS S3 Data Management Tampering, and AWS S3 Bucket Expiration Lifecycle Configuration Added. These rules will detect disabled logging, configuration changes, and potential tampering.
• Review each alert carefully. Check which IAM principal performed the action, which bucket was affected, what triggered the alert, as well as the timestamp and region.
• Treat unexpected data-modifying API calls, logging changes, and configuration modifications during abnormal hours or by unusual users as suspicious. Investigate each action by reviewing object access logs, bucket policy history, and recent IAM activity.
• If malicious activity is confirmed, restore logging; review bucket contents for unauthorized downloads or deletions; audit the credentials used; rotate or disable compromised credentials; and enforce stricter access controls, such as least privilege policies and multi-factor authentication.

Next steps

• Maintain an inventory of all S3 buckets, their purpose, and expected access patterns. Use this as your baseline for monitoring.
• Activate and tune the Log360 S3 detection rules and define trusted IAM principals and legitimate change windows to reduce false positives.
• Configure alert notifications in Log360 so the security team is informed immediately when suspicious activity occurs.
• Periodically review bucket configurations, IAM permissions, and access patterns, especially after major changes such as new applications or credential rotation.
• Combine S3 monitoring with other cloud telemetry, such as IAM activity logs, network logs, and audit logs, to provide full context during investigations.