Query Details
AWS No Such Bucket Check
Query
// AWS NoSuchBucket Check // https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/ AWSCloudTrail | where TimeGenerated > ago(90d) | where ErrorCode == "NoSuchBucketPolicy" | extend BucketName = tostring(parse_json(RequestParameters).bucketName) | extend Host = tostring(parse_json(RequestParameters).Host) | project TimeGenerated, BucketName, Host
Explanation
This query is designed to analyze AWS CloudTrail logs to identify instances where there was an attempt to access a non-existent S3 bucket policy within the last 90 days. Here's a breakdown of what it does:
-
Data Source: It uses the
AWSCloudTraillogs as the data source. -
Time Filter: It filters the logs to include only those generated in the last 90 days.
-
Error Code Filter: It specifically looks for logs where the error code is "NoSuchBucketPolicy," indicating an attempt to access a bucket policy that does not exist.
-
Extract Information:
- It extracts the
BucketNamefrom theRequestParametersfield, which contains details about the request. - It also extracts the
Hostfrom the sameRequestParametersfield.
- It extracts the
-
Output: The query outputs a table with the following columns:
TimeGenerated: The timestamp of when the log was generated.BucketName: The name of the bucket that was attempted to be accessed.Host: The host involved in the request.
In summary, this query helps identify and analyze failed attempts to access non-existent S3 bucket policies, which could be useful for security monitoring and troubleshooting in AWS environments.
Details
Steven Lim
Released: February 6, 2025
Tables
Keywords
Operators