docs.aws.amazon.com Open in urlscan Pro
18.66.147.13 Public Scan

Back to summary

URL:
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html
Submission: On May 07 via api (May 7th 2023, 10:47:53 am UTC) from US — Scanned from DE

Form analysis
0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”

Accept all cookiesContinue without acceptingCustomize cookies

CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.

ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.

PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed

FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed

ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice

CancelSave preferences

UNABLE TO SAVE COOKIE PREFERENCES

We will only store essential cookies at this time, because we were unable to
save your cookie preferences.

If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.

Dismiss

Create an AWS Account
1. AWS
2. ...

3. Documentation
4. Amazon GuardDuty
5. Amazon GuardDuty User Guide

Feedback
Preferences

AMAZON GUARDDUTY

AMAZON GUARDDUTY USER GUIDE

* What is GuardDuty?
* Getting started
* Concepts and terminology
* GuardDuty features activation
* GuardDuty API changes

* Foundational data sources
* GuardDuty EKS Protection
* Features
* EKS Audit Log Monitoring
* EKS Runtime Monitoring
* Configuring EKS Runtime Monitoring
* Managing GuardDuty agent manually
* Amazon ECR repository hosting GuardDuty agent
* Coverage
* Runtime event types
* EKS add-on agent release history

* GuardDuty Lambda Protection
* Feature
* Configuring Lambda Protection

* GuardDuty Malware Protection
* Feature
* GuardDuty service account
* Customizations in Malware Protection
* GuardDuty-initiated malware scan
* Configuring GuardDuty-initiated malware scan
* Findings that invoke GuardDuty-initiated malware scan

* On-demand malware scan
* Getting started

* Monitoring malware scan statuses and results
* Malware Protection quotas

* GuardDuty RDS Protection
* Feature

* GuardDuty S3 Protection
* Feature

* Understanding findings
* Finding details
* GuardDuty finding format
* Sample findings

* Finding types
* EC2 finding types
* IAM finding types
* Kubernetes audit logs finding types
* EKS Runtime Monitoring finding types
* Lambda Protection finding types
* Malware Protection finding types
* RDS Protection finding types
* S3 finding types
* Retired finding types

* Managing findings
* Filtering findings
* Suppression rules
* Trusted and threat IP lists
* Exporting findings
* Automating responses with CloudWatch Events
* Understanding CloudWatch Logs and reasons for skipping resources
* Reporting false positives in Malware Protection

* Remediating findings
* Remediating EKS Audit Log Monitoring findings
* Remediating EKS Runtime Monitoring findings
* Remediating a compromised database
* Remediating a compromised Lambda function

* Managing multiple accounts
* Managing accounts with AWS Organizations
* Managing accounts by invitation

* Estimating cost
* Security
* Data protection
* Encryption at rest
* Encryption in transit
* Opting out of using your data for service improvement

* Logging with CloudTrail
* Example: GuardDuty log file entries

* Identity and Access Management
* How Amazon GuardDuty works with IAM
* Identity-based policy examples
* Using service-linked roles
* Service-linked role permissions for GuardDuty
* Service-linked role permissions for Malware Protection

* Troubleshooting
* AWS managed policies

* Compliance validation
* Resilience
* Infrastructure security

* GuardDuty integrations
* Security Hub integration
* Detective integration

* Suspending or disabling
* GuardDuty announcements
* Quotas
* Troubleshooting
* Regions and endpoints
* Document history
* AWS glossary

GuardDuty S3 finding types - Amazon GuardDuty
AWSDocumentationAmazon GuardDutyAmazon GuardDuty User Guide
Discovery:S3/AnomalousBehaviorDiscovery:S3/MaliciousIPCallerDiscovery:S3/MaliciousIPCaller.CustomDiscovery:S3/TorIPCallerExfiltration:S3/AnomalousBehaviorExfiltration:S3/MaliciousIPCallerImpact:S3/AnomalousBehavior.DeleteImpact:S3/AnomalousBehavior.PermissionImpact:S3/AnomalousBehavior.WriteImpact:S3/MaliciousIPCallerPenTest:S3/KaliLinuxPenTest:S3/ParrotLinuxPenTest:S3/PentooLinuxPolicy:S3/AccountBlockPublicAccessDisabledPolicy:S3/BucketAnonymousAccessGrantedPolicy:S3/BucketBlockPublicAccessDisabledPolicy:S3/BucketPublicAccessGrantedStealth:S3/ServerAccessLoggingDisabledUnauthorizedAccess:S3/MaliciousIPCaller.CustomUnauthorizedAccess:S3/TorIPCaller

GUARDDUTY S3 FINDING TYPES

PDFRSS

The following findings are specific to Amazon S3 resources and will have a
Resource Type of S3Bucket if the data source is CloudTrail data events for S3,
or AccessKey if the data source is CloudTrail management events. The severity
and details of the findings will differ based on the finding type and the
permission associated with the bucket.

The findings listed here include the data sources and models used to generate
that finding type. For more information data sources and models, see
Foundational data sources.

IMPORTANT

Findings with a data source of CloudTrail data events for S3 are only generated
if you have S3 protection enabled for GuardDuty. S3 protection is enabled by
default in all accounts created after July 31, 2020. For information about how
to enable or disable S3 protection, see Amazon S3 Protection in Amazon GuardDuty

For all S3Bucket type findings, it is recommended that you examine the
permissions on the bucket in question and the permissions of any users involved
in the finding, if the activity is unexpected see the remediation
recommendations detailed in Remediating a compromised S3 bucket.

TOPICS

* Discovery:S3/AnomalousBehavior
* Discovery:S3/MaliciousIPCaller
* Discovery:S3/MaliciousIPCaller.Custom
* Discovery:S3/TorIPCaller
* Exfiltration:S3/AnomalousBehavior
* Exfiltration:S3/MaliciousIPCaller
* Impact:S3/AnomalousBehavior.Delete
* Impact:S3/AnomalousBehavior.Permission
* Impact:S3/AnomalousBehavior.Write
* Impact:S3/MaliciousIPCaller
* PenTest:S3/KaliLinux
* PenTest:S3/ParrotLinux
* PenTest:S3/PentooLinux
* Policy:S3/AccountBlockPublicAccessDisabled
* Policy:S3/BucketAnonymousAccessGranted
* Policy:S3/BucketBlockPublicAccessDisabled
* Policy:S3/BucketPublicAccessGranted
* Stealth:S3/ServerAccessLoggingDisabled
* UnauthorizedAccess:S3/MaliciousIPCaller.Custom
* UnauthorizedAccess:S3/TorIPCaller

DISCOVERY:S3/ANOMALOUSBEHAVIOR

AN API COMMONLY USED TO DISCOVER S3 OBJECTS WAS INVOKED IN AN ANOMALOUS WAY.

Default severity: Low

* Data source: CloudTrail data events for S3

This finding informs you that an IAM entity has invoked an S3 API to discover S3
buckets in your environment, such as ListObjects. This type of activity is
associated with the discovery stage of an attack wherein an attacker gathers
information to determine if your AWS environment is susceptible to a broader
attack. This activity is suspicious because the IAM entity invoked the API in an
unusual way. For example, an IAM entity with no previous history invokes an S3
API, or an IAM entity invokes an S3 API from an unusual location.

This API was identified as anomalous by GuardDuty's anomaly detection machine
learning (ML) model. The ML model evaluates all the API requests in your account
and identifies anomalous events that are associated with techniques used by
adversaries. It tracks various factors of the API requests, such as the user who
made the request, the location from which the request was made, the specific API
that was requested, the bucket that was requested, and the number of API calls
made. For more information on which factors of the API request are unusual for
the user identity that invoked the request, see Finding details.

Remediation recommendations:

If this activity is unexpected for the associated principal, it may indicate
that the credentials have been exposed or your S3 permissions are not
restrictive enough. For more information, see Remediating a compromised S3
bucket.

DISCOVERY:S3/MALICIOUSIPCALLER

AN S3 API COMMONLY USED TO DISCOVER RESOURCES IN AN AWS ENVIRONMENT WAS INVOKED
FROM A KNOWN MALICIOUS IP ADDRESS.

Default severity: High

* Data source: CloudTrail data events for S3

This finding informs you that an S3 API operation was invoked from an IP address
that is associated with known malicious activity. The observed API is commonly
associated with the discovery stage of an attack when an adversary is gathering
information about your AWS environment. Examples include GetObjectAcl and
ListObjects.

Remediation recommendations:

DISCOVERY:S3/MALICIOUSIPCALLER.CUSTOM

AN S3 API WAS INVOKED FROM AN IP ADDRESS ON A CUSTOM THREAT LIST.

Default severity: High

* Data source: CloudTrail data events for S3

This finding informs you that an S3 API, such as GetObjectAcl or ListObjects,
was invoked from an IP address that is included on a threat list that you
uploaded. The threat list associated with this finding is listed in the
Additional information section of a finding's details. This type of activity is
associated with the discovery stage of an attack wherein an attacker is
gathering information to determine if your AWS environment is susceptible to a
broader attack.

Remediation recommendations:

DISCOVERY:S3/TORIPCALLER

AN S3 API WAS INVOKED FROM A TOR EXIT NODE IP ADDRESS.

Default severity: Medium

* Data source: CloudTrail data events for S3

This finding informs you that an S3 API, such as GetObjectAcl or ListObjects,
was invoked from a Tor exit node IP address. This type of activity is associated
with the discovery stage of an attack wherein an attacker is gathering
information to determine if your AWS environment is susceptible to a broader
attack. Tor is software for enabling anonymous communication. It encrypts and
randomly bounces communications through relays between a series of network
nodes. The last Tor node is called the exit node. This can indicate unauthorized
access to your AWS resources with the intent of hiding the attacker's true
identity.

Remediation recommendations:

EXFILTRATION:S3/ANOMALOUSBEHAVIOR

AN IAM ENTITY INVOKED AN S3 API IN A SUSPICIOUS WAY.

Default severity: High

* Data source: CloudTrail data events for S3

This finding informs you that an IAM entity is making API calls that involve an
S3 bucket and this activity differs from that entity's established baseline. The
API call used in this activity is associated with the exfiltration stage of an
attack, wherein an attacker attempts to collect data. This activity is
suspicious because the IAM entity invoked the API in an unusual way. For
example, an IAM entity with no previous history invokes an S3 API, or an IAM
entity invokes an S3 API from an unusual location.

Remediation recommendations:

EXFILTRATION:S3/MALICIOUSIPCALLER

AN S3 API COMMONLY USED TO COLLECT DATA FROM AN AWS ENVIRONMENT WAS INVOKED FROM
A KNOWN MALICIOUS IP ADDRESS.

Default severity: High

* Data source: CloudTrail data events for S3

This finding informs you that an S3 API operation was invoked from an IP address
that is associated with known malicious activity. The observed API is commonly
associated with exfiltration tactics where an adversary is trying to collect
data from your network. Examples include GetObject and CopyObject.

Remediation recommendations:

IMPACT:S3/ANOMALOUSBEHAVIOR.DELETE

AN IAM ENTITY INVOKED AN S3 API THAT ATTEMPTS TO DELETE DATA IN A SUSPICIOUS
WAY.

Default severity: High

* Data source: CloudTrail data events for S3

This finding informs you that an IAM entity in your AWS environment is making
API calls that involve an S3 bucket, and this behavior differs from that
entity's established baseline. The API call used in this activity is associated
with an attack that attempts to delete data. This activity is suspicious because
the IAM entity invoked the API in an unusual way. For example, an IAM entity
with no previous history invokes an S3 API, or an IAM entity invokes an S3 API
from an unusual location.

Remediation recommendations:

We recommend an audit of your S3 bucket's contents to determine if you the
previous object version can or should be restored.

IMPACT:S3/ANOMALOUSBEHAVIOR.PERMISSION

AN API COMMONLY USED TO SET THE ACCESS CONTROL LIST (ACL) PERMISSIONS WAS
INVOKED IN AN ANOMALOUS WAY.

Default severity: High

* Data source: CloudTrail data events for S3

This finding informs you that an IAM entity in your AWS environment has changed
a bucket policy or ACL on the listed S3 buckets. This change may publicly expose
your S3 buckets to all the authenticated AWS users.

Remediation recommendations:

We recommend an audit of your S3 bucket's contents to ensure that no objects
were unexpectedly allowed to be accessed publicly.

IMPACT:S3/ANOMALOUSBEHAVIOR.WRITE

AN IAM ENTITY INVOKED AN S3 API THAT ATTEMPTS TO WRITE DATA IN A SUSPICIOUS WAY.

Default severity: Medium

* Data source: CloudTrail data events for S3

This finding informs you that an IAM entity in your AWS environment is making
API calls that involve an S3 bucket, and this behavior differs from that
entity's established baseline. The API call used in this activity is associated
with an attack that attempts to write data. This activity is suspicious because
the IAM entity invoked the API in an unusual way. For example, an IAM entity
with no previous history invokes an S3 API, or an IAM entity invokes an S3 API
from an unusual location.

Remediation recommendations:

We recommend an audit of your S3 bucket's contents to ensure that this API call
didn't write malicious or unauthorized data.

IMPACT:S3/MALICIOUSIPCALLER

AN S3 API COMMONLY USED TO TAMPER WITH DATA OR PROCESSES IN AN AWS ENVIRONMENT
WAS INVOKED FROM A KNOWN MALICIOUS IP ADDRESS.

Default severity: High

* Data source: CloudTrail data events for S3

This finding informs you that an S3 API operation was invoked from an IP address
that is associated with known malicious activity. The observed API is commonly
associated with impact tactics where an adversary is trying manipulate,
interrupt, or destroy data within your AWS environment. Examples include
PutObject and PutObjectAcl.

Remediation recommendations:

PENTEST:S3/KALILINUX

AN S3 API WAS INVOKED FROM A KALI LINUX MACHINE.

Default severity: Medium

* Data source: CloudTrail data events for S3

This finding informs you that a machine running Kali Linux is making S3 API
calls using credentials that belong to your AWS account. Your credentials might
be compromised. Kali Linux is a popular penetration testing tool that security
professionals use to identify weaknesses in EC2 instances that require patching.
Attackers also use this tool to find EC2 configuration weaknesses and gain
unauthorized access to your AWS environment.

Remediation recommendations:

PENTEST:S3/PARROTLINUX

AN S3 API WAS INVOKED FROM A PARROT SECURITY LINUX MACHINE.

Default severity: Medium

* Data source: CloudTrail data events for S3

This finding informs you that a machine running Parrot Security Linux is making
S3 API calls using credentials that belong to your AWS account. Your credentials
might be compromised. Parrot Security Linux is a popular penetration testing
tool that security professionals use to identify weaknesses in EC2 instances
that require patching. Attackers also use this tool to find EC2 configuration
weaknesses and gain unauthorized access to your AWS environment.

Remediation recommendations:

PENTEST:S3/PENTOOLINUX

AN S3 API WAS INVOKED FROM A PENTOO LINUX MACHINE.

Default severity: Medium

* Data source: CloudTrail data events for S3

This finding informs you that a machine running Pentoo Linux is making S3 API
calls using credentials that belong to your AWS account. Your credentials might
be compromised. Pentoo Linux is a popular penetration testing tool that security
professionals use to identify weaknesses in EC2 instances that require patching.
Attackers also use this tool to find EC2 configuration weaknesses and gain
unauthorized access to your AWS environment.

Remediation recommendations:

POLICY:S3/ACCOUNTBLOCKPUBLICACCESSDISABLED

AN IAM ENTITY INVOKED AN API USED TO DISABLE S3 BLOCK PUBLIC ACCESS ON AN
ACCOUNT.

Default severity: Low

* Data source: CloudTrail management events

This finding informs you that Amazon S3 Block Public Access was disabled at the
account level. When S3 Block Public Access settings are enabled, they are used
to filter the policies or access control lists (ACLs) on buckets as a security
measure to prevent inadvertent public exposure of data.

Typically, S3 Block Public Access is turned off in an account to allow public
access to a bucket or to the objects in the bucket. When S3 Block Public Access
is disabled for an account, access to your buckets is controlled by the
policies, ACLs, or bucket-level Block Public Access settings applied to your
individual buckets. This does not necessarily mean that the buckets are shared
publicly, but that you should audit the permissions applied to the buckets to
confirm that they provide the appropriate level of access.

Remediation recommendations:

POLICY:S3/BUCKETANONYMOUSACCESSGRANTED

AN IAM PRINCIPAL HAS GRANTED ACCESS TO AN S3 BUCKET TO THE INTERNET BY CHANGING
BUCKET POLICIES OR ACLS.

Default severity: High

* Data source: CloudTrail management events

This finding informs you that the listed S3 bucket has been made publicly
accessible on the internet because an IAM entity has changed a bucket policy or
ACL on that bucket. After a policy or ACL change is detected, uses automated
reasoning powered by Zelkova, to determine if the bucket is publicly accessible.

NOTE

If a bucket's ACLs or bucket policies are configured to explicitly deny or to
deny all, this finding may not reflect the current state of the bucket. This
finding will not reflect any S3 Block Public Access settings that may have been
enabled for your S3 bucket. In such cases, the effectivePermission value in the
finding will be marked as UNKNOWN.

Remediation recommendations:

POLICY:S3/BUCKETBLOCKPUBLICACCESSDISABLED

AN IAM ENTITY INVOKED AN API USED TO DISABLE S3 BLOCK PUBLIC ACCESS ON A BUCKET.

Default severity: Low

* Data source: CloudTrail management events

This finding informs you that Block Public Access was disabled for the listed S3
bucket. When enabled, S3 Block Public Access settings are used to filter the
policies or access control lists (ACLs) applied to buckets as a security measure
to prevent inadvertent public exposure of data.

Typically, S3 Block Public Access is turned off on a bucket to allow public
access to the bucket or to the objects within. When S3 Block Public Access is
disabled for a bucket, access to the bucket is controlled by the policies or
ACLs applied to it. This does not mean that the bucket is shared publicly, but
you should audit the policies and ACLs applied to the bucket to confirm that
appropriate permissions are applied.

Remediation recommendations:

POLICY:S3/BUCKETPUBLICACCESSGRANTED

AN IAM PRINCIPAL HAS GRANTED PUBLIC ACCESS TO AN S3 BUCKET TO ALL AWS USERS BY
CHANGING BUCKET POLICIES OR ACLS.

Default severity: High

* Data source: CloudTrail management events

This finding informs you that the listed S3 bucket has been publicly exposed to
all authenticated AWS users because an IAM entity has changed a bucket policy or
ACL on that S3 bucket. After a policy or ACL change is detected, uses automated
reasoning powered by Zelkova, to determine if the bucket is publicly accessible.

NOTE

Remediation recommendations:

STEALTH:S3/SERVERACCESSLOGGINGDISABLED

S3 SERVER ACCESS LOGGING WAS DISABLED FOR A BUCKET.

Default severity: Low

* Data source: CloudTrail management events

This finding informs you that S3 server access logging is disabled for a bucket
within your AWS environment. If disabled, no web request logs are created for
any attempts to access the identified S3 bucket, however, S3 management API
calls to the bucket, such as DeleteBucket, are still tracked. If S3 data event
logging is enabled through CloudTrail for this bucket, web requests for objects
within the bucket will still be tracked. Disabling logging is a technique used
by unauthorized users in order to evade detection. To learn more about S3 logs,
see S3 Server Access Logging and S3 Logging Options .

Remediation recommendations:

UNAUTHORIZEDACCESS:S3/MALICIOUSIPCALLER.CUSTOM

AN S3 API WAS INVOKED FROM AN IP ADDRESS ON A CUSTOM THREAT LIST.

Default severity: High

* Data source: CloudTrail data events for S3

This finding informs you that an S3 API operation, for example, PutObject or
PutObjectAcl, was invoked from an IP address that is included on a threat list
that you uploaded. The threat list associated with this finding is listed in the
Additional information section of a finding's details.

Remediation recommendations:

UNAUTHORIZEDACCESS:S3/TORIPCALLER

AN S3 API WAS INVOKED FROM A TOR EXIT NODE IP ADDRESS.

Default severity: High

* Data source: CloudTrail data events for S3

This finding informs you that an S3 API operation, such as PutObject or
PutObjectAcl, was invoked from a Tor exit node IP address. Tor is software for
enabling anonymous communication. It encrypts and randomly bounces
communications through relays between a series of network nodes. The last Tor
node is called the exit node. This finding can indicate unauthorized access to
your AWS resources with the intent of hiding the attacker's true identity.

Remediation recommendations:

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.

Document Conventions
RDS Protection finding types
Retired finding types
Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of
it.

Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.

Did this page help you?
Yes
No
Provide feedback
Edit this page on GitHub
Next topic:Retired finding types
Previous topic:RDS Protection finding types
Need help?
* Connect with an AWS IQ expert

ON THIS PAGE

--------------------------------------------------------------------------------

DID THIS PAGE HELP YOU? - NO

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.

Feedback

docs.aws.amazon.com Open in urlscan Pro 18.66.147.13 Public Scan

Form analysis 0 forms found in the DOM

Text Content

docs.aws.amazon.com Open in urlscan Pro
18.66.147.13 Public Scan

Form analysis
0 forms found in the DOM