Skip to main content
Splunk Lantern

Public S3 bucket identification

Amazon Simple Storage Service (S3) buckets may be inadvertently set with broader (public) access, which could lead to the loss or theft of confidential information. Based on the complexity of access control list (ACL) configurations, it's extremely difficult to determine the true accessibility of an S3 bucket via Cloudwatch logs.

You can use this search to review critical ACL changes made to S3 buckets access configurations.

Procedure

  1. Configure the Splunk Add-on for Amazon Web Services.
  2. Ensure that your deployment is ingesting AWS data through one of the following methods:
    • Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work fine.
    • Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into Splunk is the easier and more scalable method.

3. Run the following search. You can optimize it by specifying an index and adjusting the time range.

index="<AWS index name>" sourcetype="aws:cloudtrail" readOnly=False 
eventSource="s3.amazonaws.com" eventName IN (*PublicAccessBlock*, *ACL*, PutBucketPolicy)
| eval requestParameters=mvindex(split(mvindex(split(_raw, "requestParameters\":"),1),"\"responseElements"),0)
| table _time requestParameters.bucketName userIdentity.principalId eventName requestParameters

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
index="<AWS index name>" sourcetype="aws:cloudtrail" Search the index(s) where AWS data is stored filtered to just the AWS Cloudwatch Logs sourcetype. 
readOnly=False eventSource="s3.amazonaws.com" eventName IN (*PublicAccessBlock*, *ACL*, PutBucketPolicy) Filter to non-readOnly events associated with s3 activity where the eventName is indicative of a modification to bucket access.
| eval requestParameters=mvindex(split(mvindex(split(_raw, "requestParameters\":"),1),"\"responseElements"),0) Parse out the parameters of the change. The parameter contents are dynamic and outline what change was requested.
| table _time requestParameters.bucketName userIdentity.principalId eventName requestParameters Display the results in a table with columns in the order shown.

Next steps

Being able to see who changed access policies that may impact an S3 buckets accessibility, and when the changes were made, allows you to perform further investigation on the bucket to determine if the access is appropriate and warranted.

You might also be interested in other processes associated with the Managing an Amazon Web Services environment use case.