Detectionhightest
AWS IAM S3Browser Templated S3 Bucket Policy Creation
Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
AWScloudtrail
ProductAWS← raw: aws
Servicecloudtrail← raw: cloudtrail
Detection Logic
Detection Logic1 selector
detection:
selection:
eventSource: iam.amazonaws.com
eventName: PutUserPolicy
userAgent|contains: 'S3 Browser'
requestParameters|contains|all:
- '"arn:aws:s3:::<YOUR-BUCKET-NAME>/*"'
- '"s3:GetObject"'
- '"Allow"'
condition: selectionFalse Positives
Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value
References
MITRE ATT&CK
Rule Metadata
Rule ID
db014773-7375-4f4e-b83b-133337c0ffee
Status
test
Level
high
Type
Detection
Created
Wed May 17
Author
Path
rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml
Raw Tags
attack.executionattack.t1059.009attack.persistenceattack.defense-evasionattack.initial-accessattack.privilege-escalationattack.t1078.004