Detection: S3 Bucket Policy Updated

Overview

Detect when an Amazon S3 bucket policy was modified. Bucket policies define access permissions for resources within a bucket, and changes to these policies can introduce security risks, such as unauthorized access or overly permissive permissions, leading to potential data breaches. Reviewing these modifications ensures that access controls align with security best practices and compliance requirements.

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_cloudtrail_log_detections.detection.s3_bucket_policy_updated

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_cloudtrail_log_detections.detection.s3_bucket_policy_updated --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
string_split(event_source, '.')[1] || ':' || event_name as operation,
request_parameters ->> 'bucketName' as resource,
user_identity.arn as actor,
tp_source_ip as source_ip,
tp_index as account_id,
aws_region as region,
tp_id as source_id,
*

from
  aws_cloudtrail_log
where
  event_source = 's3.amazonaws.com'
  and event_name in ('PutBucketPolicy')
  and error_code is null

order by
  event_time desc;

Detection: S3 Bucket Policy Updated

Overview

Usage

SQL

Tags