Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-aws-s3-server-access-log-detections
Overview
3Dashboards
6Benchmarks
21Queries
1Variables
GitHub

Detection: S3 Object Accessed Using Suspicious User-Agent

Overview

Detect when an Amazon S3 object was accessed using a suspicious user-agent string such as curl, python, or bot. These user agents are often associated with automated scripts, command-line tools, or scraping bots and may indicate unauthorized or non-standard access methods.

Monitoring user-agent patterns helps identify abnormal or automated behavior that could lead to data exfiltration, unauthorized access, or abuse of exposed public content.

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_s3_server_access_log_detections.detection.s3_object_accessed_using_suspicious_user_agent

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_s3_server_access_log_detections.detection.s3_object_accessed_using_suspicious_user_agent --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
operation,
bucket as resource,
requester as actor,
tp_source_ip as source_ip,
tp_index as account_id,
tp_id as source_id,
http_status,
error_code,
*


from
  aws_s3_server_access_log
where
  operation in ('REST.GET.OBJECT', 'REST.PUT.OBJECT', 'REST.DELETE.OBJECT')
  and (
    -- Command-line tools
    user_agent ilike '%curl%' or
    user_agent ilike '%wget%' or
    user_agent ilike '%python%' or
    user_agent ilike '%go-http%' or
    user_agent ilike '%ruby%' or
    user_agent ilike '%powershell%' or
        
    -- Known scanners and penetration testing tools
    user_agent ilike '%nuclei%' or
    user_agent ilike '%nmap%' or
    user_agent ilike '%burpsuite%' or
    user_agent ilike '%sqlmap%' or
    user_agent ilike '%nikto%' or
    user_agent ilike '%hydra%' or
    user_agent ilike '%metasploit%' or
    user_agent ilike '%gobuster%' or
    user_agent ilike '%dirbuster%' or
        
    -- Suspicious bots and crawlers
    user_agent ilike '%zgrab%' or
    user_agent ilike '%masscan%' or
    user_agent ilike '%googlebot%' or
    user_agent ilike '%baiduspider%' or
        
    -- Generic indicators
    user_agent ilike '%scanner%' or
    user_agent ilike '%exploit%' or
    user_agent ilike '%attack%' or
    user_agent is null
  )
order by
  tp_timestamp desc;

Tags

category = Detections
folder = S3
mitre_attack_ids = TA0011:T1071.001,TA0009:T1119
plugin = aws
service = AWS/S3