AWS S3 bucket was exposed to public access

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2025-11-12
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	5 Days
Required Data	Requires: AWS Audit Log
Detection Modules	Cloud
Detector Tags	Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & Response
ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Impair Defenses (T1562)
Severity	Low

Description

AWS bucket was publicly shared.

Attacker's Goals

The attacker wants to maintain indirect control over the resource.
The attacker intends to allow public access, making it harder to detect future activity.
Attackers are constantly monitoring for public assets to steal sensitive information.

Investigative actions

Check if the identity intended to change the state of the bucket to public.
Change the bucket or ACL policy for bucket.
Restrict permissions for the identity if needed.

Variations

AWS S3 bucket was exposed to public access by admin cloud identity

Synopsis

ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Impair Defenses (T1562)
Severity	Informational

Description

AWS bucket was publicly shared.

Attacker's Goals

The attacker wants to maintain indirect control over the resource.
The attacker intends to allow public access, making it harder to detect future activity.
Attackers are constantly monitoring for public assets to steal sensitive information.

Investigative actions

Check if the identity intended to change the state of the bucket to public.
Change the bucket or ACL policy for bucket.
Restrict permissions for the identity if needed.