New S3 Bucket
This alert occurs when Lacework detects the creation of a new AWS S3 bucket.
Why this Alert is Important
Creating an S3 bucket is one of the methods to get access to a user’s AWS environment. If an attacker is able to create a bucket, it is possible for the attacker to inject malicious files in the environment. One such scenario is if S3 buckets are spawned out of storage requirements and are bound to a particular domain. Sometimes these buckets are not deleted after they have served their purpose, which may escalate to a complete takeover of a host’s subdomain.
Investigation
Look for logs when a S3 bucket is created. Developers or IT engineers scrutinize their organization’s DNS records every time there is a termination of a S3 bucket. This ensures there are no DNS/CNAME entries that point to non-existent S3 buckets, which could potentially be exploited.
Resolution
Ensure that only administrators or users with certain privileges are able to create the S3 bucket.
Audit the created S3 buckets.
Related Information
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/what-is-s3.html