title: Potential Storage Enumeration on AWS
id: 4723218f-2048-41f6-bcb0-417f2d784f61
status: experimental
description: Detects potential enumeration activity targeting AWS storage
references:
    - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/13
modified: 2022/12/28
tags:
    - attack.discovery
    - attack.t1619
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 's3.amazonaws.com'
        eventName:
            - 'ListBuckets'
            - 'GetBucketCors'
            - 'GetBucketInventoryConfiguration'
            - 'GetBucketPublicAccessBlock'
            - 'GetBucketMetricsConfiguration'
            - 'GetBucketPolicy'
            - 'GetBucketTagging'
    timeframe: 10m
    condition: selection | count() > 5
falsepositives:
    - Unknown
level: medium