AWS GuardDuty Alert Details
Alert ID: GUARDDUTY-STORAGE-DISCOVERY-1619-7842 Alert Time: 2024-03-14 09:30:15 EST Severity: MEDIUM (72/100) Source: AWS GuardDuty Rule: “Anomalous S3 Bucket Enumeration” MITRE ATT&CK: T1619 – Cloud Storage Object Discovery
Alert Details:
Detection: IAM user enumerated multiple S3 buckets and objects
AWS Account: 123456789012 (Production) IAM User: svc_monitoring (Service Account) Source IP: 185.143.221[.]89 (Bulgaria) Time: 09:15-09:30 EST
API Calls (from CloudTrail):
09:15:22 – s3:ListBuckets (list all S3 buckets) – SUCCESS
09:16:45 – s3:ListObjects on bucket: company-data-prod (2,847 objects listed)
09:17:38 – s3:ListObjects on bucket: company-backups-prod (1,234 objects)
09:18:22 – s3:ListObjects on bucket: company-logs-prod (4,567 objects)
09:19:05 – s3:ListObjects on bucket: company-finance-reports (892 objects)
09:19:48 – s3:GetObject on key: finance-reports/Q1_2024.xlsx (12 MB) – DOWNLOADED
09:20:15 – s3:GetObject on key: finance-reports/Q2_2024.xlsx (11 MB) – DOWNLOADED
09:20:55 – s3:GetObject on key: customer-data/export.csv (23 MB) – DOWNLOADED
… (total 12 GetObject calls)
Detection Logic:
Service account svc_monitoring normally only lists its own bucket
This activity shows enumeration of multiple buckets not normally accessed
Source IP outside expected region (Bulgaria, not US)
Pattern matches cloud storage discovery and data access
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify GuardDuty alert
GuardDuty Console, CloudTrail
Confirmed unauthorized S3 enumeration
2. Account Investigation
Check svc_monitoring activity
AWS IAM, CloudTrail
Service account credentials compromised (leaked in GitHub)
3. Immediate Action
Rotate access keys
AWS IAM
svc_monitoring keys rotated
4. Bucket Permissions
Review and restrict bucket policies
S3 Bucket Policies
Removed unnecessary permissions; enforced least privilege
5. Data Access Assessment
Identify downloaded objects
CloudTrail logs
12 files downloaded (46 MB) – financial and customer data
6. Incident Response
Activate breach response
Legal, Management
Data breach declared
Jira Incident Report
Ticket: SOC-2024-216 Summary: T1619 – Cloud Storage Object Discovery & Data Access from Compromised Service Account Status: RESOLVED Resolution: MALICIOUS – Data Access Confirmed Priority: P2 – MEDIUM Labels: T1619, cloud-storage-discovery, s3, guardduty, compromised-credentials Components: Cloud-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: AWS GuardDuty.
Alert: “Anomalous S3 Bucket Enumeration”.
IAM User: svc_monitoring (service account).
Source IP: 185.143.221[.]89 (Bulgaria).
Activity: Listed 5 buckets, downloaded 12 objects (46 MB).
Time: 2024-03-14 09:30 EST.
Technique: MITRE ATT&CK T1619 – Cloud Storage Object Discovery.
2. Technical Analysis:
Attack Chain:
08:30 – svc_monitoring credentials leaked via public GitHub repository
08:45 – Attacker uses credentials to access AWS from Bulgaria
09:15-09:30 – Bucket enumeration and data download
09:30 – GuardDuty detects
Data Accessed:
Q1_2024.xlsx, Q2_2024.xlsx (financial reports)
customer-data/export.csv (customer PII)
backup files, logs, etc. (no sensitive data beyond these)
Total: 12 files, 46 MB
Compromised Credentials:
IAM User: svc_monitoring
Permissions: Read access to multiple S3 buckets (excessive)
Leak Source: Public GitHub (developer committed access key)
Attacker Intent:
Data theft (financial, customer data)
3. Investigation Findings:
Timeline:
08:30 – Credentials compromised
08:45 – Attacker accesses AWS
09:15-09:30 – Data access
09:30 – Alert
09:32 – SOC investigates
09:33 – Keys rotated
09:35 – Access revoked
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
– S3 operations: ListBuckets, ListObjects, GetObject
Credentials:
– svc_monitoring access keys (rotated)
Data:
– 12 files, 46 MB accessed (list attached)
4. Containment Actions:
Immediate Actions:
Rotated svc_monitoring access keys.
Removed excessive S3 permissions (least privilege).
Blocked attacker IP at AWS WAF.
Disabled compromised IAM user temporarily.
Data Protection:
Determined scope of accessed data (46 MB).
Notified affected data owners.
Initiated breach response (customer PII exposure).
Cloud Remediation:
Enabled S3 server access logging.
Implemented S3 Block Public Access.
5. Root Cause Analysis:
Primary Cause: Service account credentials leaked in public GitHub repository.
Contributing Factors:
No secret scanning.
Service account had excessive permissions.
No MFA for service accounts.
6. Business Impact:
Operational Impact: None.
Data Exposure: 46 MB of financial and customer data accessed (downloaded).
Regulatory Impact: GDPR/CCPA breach (customer PII).
7. Remediation & Prevention:
Completed Actions:
Keys rotated.
Permissions restricted.
Breach response initiated.
Technical Controls Enhanced:
Implemented secret scanning (GitHub Advanced Security).
Enforced least privilege for service accounts.
Enabled GuardDuty with automated response.
Deployed AWS Config rules for S3 bucket policies.
8. Conclusion:
An attacker obtained compromised service account credentials from a public GitHub repository and used them to enumerate and download 46 MB of sensitive data from S3. GuardDuty detected the anomalous activity, enabling key rotation and breach response.
Closure Rationale: Data accessed; access revoked; breach response initiated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-14 10:30 EST