Powerpipe MCP Server →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-aws-s3-server-access-log-detections
Overview
3Dashboards
6Benchmarks
21Queries
1Variables
GitHub

Detection: S3 Object Accessed with Large Request Size

Overview

Detect when an Amazon S3 object was accessed and the request size exceeded 10MB. Large request sizes can indicate scripted or automated bulk downloads that may be part of a data scraping or exfiltration attempt.

While response size is often used to detect data transfers, unusually large request payloads or headers may also be signs of misuse, such as attempts to manipulate large objects, invoke custom behaviors, or exhaust system resources.

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_s3_server_access_log_detections.detection.s3_object_accessed_with_large_request_size

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_s3_server_access_log_detections.detection.s3_object_accessed_with_large_request_size --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
operation,
bucket as resource,
requester as actor,
tp_source_ip as source_ip,
tp_index as account_id,
tp_id as source_id,
http_status,
error_code,
*


from
  aws_s3_server_access_log
where operation = 'REST.GET.OBJECT'
  and object_size > 10000000
order by
  tp_timestamp desc;

Tags

category = Detections
folder = S3
mitre_attack_ids = TA0010:T1030
plugin = aws
service = AWS/S3