Foreign account was granted permissions to S3 bucket via resource-based policy

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2026-01-04
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AWS Audit Log
Detection Modules	Cloud
Detector Tags	Cloud Data Asset Exfiltration, Data Detection & Response
ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Transfer Data to Cloud Account (T1537)
Severity	Informational

Description

Foreign account was granted access to S3 bucket.

Attacker's Goals

The attacker wants to maintain control over the resource.

Investigative actions

Check if the {cloud_best_identity_match} intended to modify {aws_s3bucket_identifier} policy.
Check the permissions that were granted to the {aws_grantee_project}.
Restrict permissions for the {aws_grantee_project} if needed.

Variations

Foreign account was granted permissions to S3 bucket containing sensitive information via resource-based policy

Synopsis

ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Transfer Data to Cloud Account (T1537)
Severity	Low

Description

Foreign account was granted access to S3 bucket.

Attacker's Goals

The attacker wants to maintain control over the resource.

Investigative actions

Check if the {cloud_best_identity_match} intended to modify {aws_s3bucket_identifier} policy.
Check the permissions that were granted to the {aws_grantee_project}.
Restrict permissions for the {aws_grantee_project} if needed.