Monitoring High-Fidelity S3 Events
We previously discussed how you can leverage Amazon GuardDuty for identifying potential risks by analyzing CloudTrail management and S3 data events (data plane operations). In addition to that, it is always prudent to know your organization’s events trend and carve high fidelity, low noise alerts for S3 events, especially for unusual increases in API calls or calls that result in errors. It is important that you know your environment well so that you can filter the noise for some high-traffic events. Some of the S3 events that could be useful are unusual S3 object or bucket delete (empty) attempts, S3 object permission change (e.g. object's access control list (ACL) changes), S3 bucket policy changes, S3 or account level public block access changes, S3 bucket creation, List/Get/Put events from unusual sources or agents for actions like s3:ListBuckets, GetBucketLocation, GetBucketPolicy, GetBucketAcl, Get/PutBucketVersioning, PutBucket Encryption or DeleteBucketEncryption, etc.
Additional tips: It could be useful to keep an eye out for unusual costs in your AWS bill to identify data exfiltration. For example, from your cost explorer, use: UsageType:DataTransfer-Out-Bytes or region-DataTransfer-Out-Bytes, Service: S3 (Simple Storage Service), and API Operation: GetObject.
In this last of the part five series, we showed you how we can also add AWS Organization Service Control Policy (SCP) to deny Amazon S3 bucket deletion and bucket configuration changes, religious practice PoLP (the principles of least privilege), set strict S3 bucket policy, use Amazon S3 presigned URL and monitor high fidelity S3 events. This concludes the five part series.
Return to the intro of this series for links to each of the blogs in this series, and you can also learn more about the technical innovations and best practices powering cloud backup and data management. Visit the Innovation Series section of Druva’s blog archive.
About the Author
I have been in the cloud tech world since 2015, wearing multiple hats and working as a consultant to help customers architect their cloud journey. I joined Druva four years ago as a cloud engineer. Currently, I lead Druva’s cloud security initiatives, roadmap, and planning. I love to approach cloud security pragmatically because I strongly believe that the most important component of security is the humans behind the systems.
Get my hands-on style weekly cloud security newsletter. Subscribe here
Find me on LinkedIn: https://www.linkedin.com/in/aashish-aj/