Powerpipe MCP Server →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-aws-s3-server-access-log-detections
Overview
3Dashboards
6Benchmarks
21Queries
1Variables
GitHub

Detection: S3 Object Accessed with Large Response Size

Overview

Detect when an Amazon S3 object was accessed and the response size exceeded 100MB. Large data transfers over S3 can be indicative of bulk data exfiltration, especially when occurring outside of normal access patterns or in combination with unusual requester identities or IP addresses.

Monitoring response sizes helps detect potential data leakage, abnormal automation behavior, or improper use of public or privileged access to retrieve significant volumes of information.

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_s3_server_access_log_detections.detection.s3_object_accessed_with_large_response_size

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_s3_server_access_log_detections.detection.s3_object_accessed_with_large_response_size --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
operation,
bucket as resource,
requester as actor,
tp_source_ip as source_ip,
tp_index as account_id,
tp_id as source_id,
http_status,
error_code,
*


from
  aws_s3_server_access_log
where operation = 'REST.GET.OBJECT'
  and bytes_sent > 100000000
order by
  tp_timestamp desc;

Tags

category = Detections
folder = S3
mitre_attack_ids = TA0010:T1030
plugin = aws
service = AWS/S3