aws-cis-benchmark-s3-policy-change Configuration

« aws-cis-benchmark-s3-policy-change »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1578confidence:3

Detect AWS S3 bucket policy change

Installation

cscli scenarios install crowdsecurity/aws-cis-benchmark-s3-policy-change

Description

Detects AWS S3 buckets policy changes based on cloudtrail logs (Section 4.8 of CIS AWS Foundation Benchmark 1.4.0 ).

YAML Configuration

1type: trigger
2name: crowdsecurity/aws-cis-benchmark-s3-policy-change
3description: "Detect AWS S3 bucket policy change"
4filter: |
5  evt.Meta.log_type == 'aws-cloudtrail' &&
6  evt.Unmarshaled.cloudtrail.eventSource == "s3.amazonaws.com" &&
7  (
8   evt.Meta.event_name == "PutBucketAcl" ||
9   evt.Meta.event_name == "PutBucketPolicy" ||
10   evt.Meta.event_name == "PutBucketCors" ||
11   evt.Meta.event_name == "PutBucketLifecycle" ||
12   evt.Meta.event_name == "PutBucketReplication" ||
13   evt.Meta.event_name == "DeleteBucketPolicy" ||
14   evt.Meta.event_name == "DeleteBucketCors" ||
15   evt.Meta.event_name == "DeleteBucketLifecycle" ||
16   evt.Meta.event_name == "DeleteBucketReplication"
17  )
18labels:
19  confidence: 3
20  spoofable: 0
21  classification:
22    - attack.T1578
23  behavior: "cloud:audit"
24  label: "AWS S3 bucket policy change"
25  service: aws
26  cti: false
27  remediation: false
28

Hub configuration

« aws-cis-benchmark-s3-policy-change »v0.3 by crowdsecurityAttack scenarioservice:awsspoofable:0MITRE:T1578confidence:3

« aws-cis-benchmark-s3-policy-change »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1578confidence:3