S3 object publicly exposed

Back


Id	09f2a28b-3286-4268-9e2f-33805f104e5d
Rulename	S3 object publicly exposed
Description	Detected S3 bucket that’s publicly exposed, which could lead to sensitive information leakage to the public. Verify the S3 object configurations.
Severity	Medium
Tactics	Exfiltration
Techniques	T1537
Required data connectors	AWS
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectPubliclyExposed.yaml
Version	1.0.1
Arm template	09f2a28b-3286-4268-9e2f-33805f104e5d.json

KQL

AWSCloudTrail
  | where EventName == "PutObjectAcl" and isempty(ErrorCode) and isempty(ErrorMessage)
  | extend Grant = parse_json(tostring((parse_json(RequestParameters).AccessControlPolicy))).AccessControlList.Grant
  | mvexpand Grant
  | extend cannedacl = parse_json(tostring((parse_json(RequestParameters))))
  | extend URI = parse_json(Grant).Grantee.URI, type = parse_json(Grant).Grantee.["xsi:type"], xamzacl = parse_json(cannedacl).["x-amz-acl"]
  | where (type == "Group" and (URI endswith "AllUsers" or URI endswith "AuthenticatedUsers"))
    or xamzacl in ("authenticated-read","public-read","public-read-write")
  | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
  | extend UserName = tostring(split(UserIdentityArn, '/')[-1])
  | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
  | extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
    AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
  | extend timestamp = TimeGenerated

YAML

description: |
    'Detected S3 bucket that's publicly exposed, which could lead to sensitive information leakage to the public. Verify the S3 object configurations.'
kind: Scheduled
tactics:
- Exfiltration
requiredDataConnectors:
- connectorId: AWS
  dataTypes:
  - AWSCloudTrail
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectPubliclyExposed.yaml
severity: Medium
name: S3 object publicly exposed
triggerThreshold: 0
queryPeriod: 1h
query: |
  AWSCloudTrail
    | where EventName == "PutObjectAcl" and isempty(ErrorCode) and isempty(ErrorMessage)
    | extend Grant = parse_json(tostring((parse_json(RequestParameters).AccessControlPolicy))).AccessControlList.Grant
    | mvexpand Grant
    | extend cannedacl = parse_json(tostring((parse_json(RequestParameters))))
    | extend URI = parse_json(Grant).Grantee.URI, type = parse_json(Grant).Grantee.["xsi:type"], xamzacl = parse_json(cannedacl).["x-amz-acl"]
    | where (type == "Group" and (URI endswith "AllUsers" or URI endswith "AuthenticatedUsers"))
      or xamzacl in ("authenticated-read","public-read","public-read-write")
    | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
    | extend UserName = tostring(split(UserIdentityArn, '/')[-1])
    | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
    | extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
      AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
    | extend timestamp = TimeGenerated  
relevantTechniques:
- T1537
id: 09f2a28b-3286-4268-9e2f-33805f104e5d
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.1
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  - columnName: RecipientAccountId
    identifier: CloudAppAccountId
- entityType: IP
  fieldMappings:
  - columnName: SourceIpAddress
    identifier: Address

ARM