Navigation :
Detect New Open S3 Buckets
Description
This search looks for CloudTrail events where a user has created an open/public S3 bucket.
Help |
---|
Detect New Open S3 Buckets HelpYou must install the AWS App for Splunk. |
Search |
---|
`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl | rex field=_raw "(?<json_field>{.+})" | spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} | search grantees=* | mvexpand grantees | spath input=grantees output=uri path=Grantee.URI | spath input=grantees output=permission path=Permission | search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") | search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") | rename requestParameters.bucketName AS bucketName | stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId userAgent uri permission bucketName | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_filter` Open in Search |