Loading

AWS S3 Credential File Retrieved from Bucket

Detects successful S3 GetObject calls targeting high-value credential and secret files commonly stored in S3 buckets: AWS credentials files (".aws/credentials", ".aws/config"), SSH private keys ("id_rsa", "id_ed25519", "id_ecdsa", "id_dsa"), environment files (".env"), PEM and PuTTY key files, and other private key patterns. These file types are high-yield targets for credential harvesting from S3. The rule excludes AWSService identity type to suppress S3 replication, Glacier restore, and other AWS-internal data movement that legitimately reads these files.

Rule type: query
Rule indices:

  • filebeat-*
  • logs-aws.cloudtrail-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-6m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Cloud
  • Data Source: AWS
  • Data Source: Amazon Web Services
  • Data Source: AWS S3
  • Use Case: Identity and Access Audit
  • Tactic: Credential Access
  • Resources: Investigation Guide

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2
S3 data event logging is required for this rule. This rule detects S3 GetObject events, which are data plane events not logged by default. To enable: CloudTrail console → Trails → [trail name] → Data events → Add S3 → select the buckets to monitor (or all buckets with a wildcard). Without this configuration, the rule produces no alerts.

Refer to the AWS documentation on https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html[logging data events] for detailed steps.

S3 is frequently used to store configuration files, scripts, and secrets. When files with credential-like names are accessed, it warrants investigation to ensure that the retrieval was authorized.

  • Identify the accessed file: Review aws.cloudtrail.request_parameters for the bucket name and key. Determine whether the bucket is intended to store secrets.
  • Verify the caller: Inspect aws.cloudtrail.user_identity.arn and source.ip. If the caller is not an approved automation role, escalate immediately.
  • Check bucket permissions: Determine if the bucket is publicly accessible or if the key naming pattern was intentionally exposed.
  • Look for downstream actions: Search for subsequent IAM, STS, or console actions from the same identity shortly after the object retrieval, which may indicate successful credential use.
  • Legitimate backup or restore processes may access credential files stored in S3 as part of their workflow. Validate the calling identity and user agent against known automation accounts.
  • CI/CD pipelines that retrieve secrets from S3 during deployment may trigger this rule. Verify the source IP and ARN match expected automation infrastructure.
  • Immediately disable the access key identified in aws.cloudtrail.user_identity.access_key_id if the retrieval is determined to be unauthorized.
  • Audit the S3 bucket for overly permissive policies or public access configurations.
  • Rotate any credentials stored in the accessed object — treat them as compromised.
  • Review all CloudTrail events from the same identity in the preceding 30 minutes for signs of lateral movement, IAM changes, or resource creation.
  • Implement S3 bucket policies or IAM conditions restricting access to credential files to only authorized identities and source IPs.
data_stream.dataset: "aws.cloudtrail" and
    event.provider: "s3.amazonaws.com" and
    event.action: "GetObject" and
    event.outcome: "success" and
    aws.cloudtrail.flattened.request_parameters.key: (
        */.aws/credentials or
        */.aws/config or
        */id_rsa or
        */id_ed25519 or
        */id_ecdsa or
        */id_dsa or
        */.env or
        */.env.* or
        *.ppk or
        *.pem or
        *.key or
        *private_key* or
        */.ssh/authorized_keys
    ) and
    not aws.cloudtrail.user_identity.type: "AWSService"

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK