Detection: S3 Large File Downloaded
Overview
Detect when a large file was downloaded from an Amazon S3 bucket. Downloading large files may indicate legitimate data transfers or unauthorized access attempts, potentially leading to data exfiltration. Ensuring secure data access and monitoring large file downloads helps prevent unauthorized data leakage and supports compliance with security best practices.
References:
Usage
Run the detection in your terminal:
powerpipe detection run aws_cloudtrail_log_detections.detection.s3_large_file_downloadedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run aws_cloudtrail_log_detections.detection.s3_large_file_downloaded --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,string_split(event_source, '.')[1] || ':' || event_name as operation,request_parameters ->> 'name' as resource,user_identity.arn as actor,tp_source_ip as source_ip,tp_index as account_id,aws_region as region,tp_id as source_id,*
from aws_cloudtrail_logwhere event_source = 's3.amazonaws.com' and event_name = 'GetObject' and (request_parameters -> 'size')::int > 104857600 -- Size greater than 100MB and error_code is null
order by event_time desc;