Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-aws-s3-server-access-log-detections
Overview
3Dashboards
6Benchmarks
21Queries
1Variables
GitHub

Detection: S3 Object Accessed Using Insecure TLS Version

Overview

Detect when an Amazon S3 object was accessed using a deprecated or insecure TLS version such as TLS 1.0 or TLS 1.1. These older versions of TLS lack modern cryptographic protections and are susceptible to known vulnerabilities and downgrade attacks. Continued use of deprecated protocols increases the risk of man-in-the-middle attacks and data exposure.

Monitoring and eliminating use of insecure TLS versions ensures data transmitted to and from S3 remains encrypted using up-to-date and secure protocols.

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_s3_server_access_log_detections.detection.s3_object_accessed_using_insecure_tls_version

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_s3_server_access_log_detections.detection.s3_object_accessed_using_insecure_tls_version --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
operation,
bucket as resource,
requester as actor,
tp_source_ip as source_ip,
tp_index as account_id,
tp_id as source_id,
http_status,
error_code,
*


from
  aws_s3_server_access_log
where
  operation in ('REST.GET.OBJECT', 'REST.PUT.OBJECT', 'REST.DELETE.OBJECT')
  and tls_version in ('TLSv1.0', 'TLSv1.1')
order by
  tp_timestamp desc;

Tags

category = Detections
folder = S3
mitre_attack_ids = TA0001:T1078
plugin = aws
service = AWS/S3