Detection: S3 Object Accessed Outside Business Hours

Overview

Detect when an Amazon S3 object was accessed outside of typical business hours (e.g., 8 AM to 6 PM). Access patterns that occur late at night, early morning, or on weekends may indicate unauthorized activity, credential misuse, or automation operating without oversight.

Monitoring access timing helps organizations identify anomalies in user behavior, detect compromised accounts, and enforce time-based access controls.

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_s3_server_access_log_detections.detection.s3_object_accessed_outside_business_hours

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_s3_server_access_log_detections.detection.s3_object_accessed_outside_business_hours --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
operation,
bucket as resource,
requester as actor,
tp_source_ip as source_ip,
tp_index as account_id,
tp_id as source_id,
http_status,
error_code,
*

from
  aws_s3_server_access_log
where
  extract(hour from tp_timestamp) not between 8 and 18
  and operation = 'REST.GET.OBJECT'
order by
  tp_timestamp desc;

Detection: S3 Object Accessed Outside Business Hours

Overview

Usage

SQL

Tags