AWS S3 Buckets enumeration activity

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2026-01-27
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	1 Hour
Deduplication Period	1 Day
Required Data	Requires: AWS Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Cloud Infrastructure Discovery (T1580)
Severity	Informational

Description

Enumeration of S3 buckets, suggesting potential cloud storage reconnaissance.

Attacker's Goals

Discover available S3 buckets in the environment.
Enumerate objects within buckets to determine the type and structure of stored data.
Evaluate public access configurations of buckets to identify potential exposure or misconfigurations.

Investigative actions

Identify the identity performing the calls and determine if this behavior aligns with their typical access patterns.
Check access control policies and public access settings on the enumerated buckets for misconfigurations or unauthorized access attempts.