Query Details
AWS Cloud Trail AWS S3 Bucket Publicly Exposed
Query
let _Headers_PutBucketAcl =
AWSCloudTrail
| where EventName in ("PutBucketAcl")
| extend RequestParameters = todynamic(RequestParameters)
| where tostring(RequestParameters["accessControlList"]["x-amz-grant-full-control"]) has_any ("AuthenticatedUsers", "AllUsers", "emailAddress=", "id=")
or tostring(RequestParameters["accessControlList"]["x-amz-grant-read"]) has_any ("AuthenticatedUsers", "AllUsers", "emailAddress=", "id=")
or tostring(RequestParameters["accessControlList"]["x-amz-grant-read-acp"]) has_any ("AuthenticatedUsers", "AllUsers", "emailAddress=", "id=")
or tostring(RequestParameters["accessControlList"]["x-amz-grant-write"]) has_any ("AuthenticatedUsers", "AllUsers", "emailAddress=", "id=")
or tostring(RequestParameters["accessControlList"]["x-amz-grant-write-acp"]) has_any ("AuthenticatedUsers", "AllUsers", "emailAddress=", "id=")
;
let _ACL_PutBucketAcl =
AWSCloudTrail
| where EventName in ("PutBucketAcl")
| extend RequestParameters = todynamic(RequestParameters)
| mv-expand Grant = iff(isempty(array_length(RequestParameters["AccessControlPolicy"]["AccessControlList"])), pack_array(RequestParameters["AccessControlPolicy"]["AccessControlList"]), RequestParameters["AccessControlPolicy"]["AccessControlList"])
| where Grant has_any ("AuthenticatedUsers", "AllUsers","EmailAddress", "ID")
;
let _BucketPolicies =
AWSCloudTrail
| where EventName in ("PutBucketPolicy", "PutAccessPointPolicy")
| extend RequestParameters = todynamic(RequestParameters)
// | extend Statement = case(
// bag_keys(RequestParameters) has "bucketPolicy", todynamic(tostring(RequestParameters["bucketPolicy"]))["Statement"],
// bag_keys(RequestParameters) has "policyDocument", todynamic(tostring(RequestParameters["policyDocument"]))["Statement"],
// bag_keys(RequestParameters) has "content", todynamic(tostring(RequestParameters["content"]))["Statement"],
// dynamic(null)
// )
// | mv-expand Statement = iff(isnotempty(bag_keys(Statement)), pack_array(Statement), Statement)
// | extend
// Effect = tostring(Statement["Effect"]),
// Action = tostring(Statement["Action"]),
// Resource = tostring(Statement["Resource"])
// | where Effect == "Allow" and (Resource has "*" or Action has "*")
// | summarize take_any(*) by AwsEventId
;
union _Headers_PutBucketAcl, _ACL_PutBucketAcl, _BucketPolicies
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
This query looks for specific events related to changing access control settings for buckets in AWS CloudTrail. It checks for different types of access control settings and bucket policies. The results are then combined and certain information about the events is extracted and displayed.
Details
Jose Sebastián Canós
Released: March 5, 2024
Tables
AWSCloudTrail
Keywords
AWSCloudTrail,EventName,RequestParameters,AccessControlPolicy,Grant,AuthenticatedUsers,AllUsers,EmailAddress,ID,Statement,Effect,Action,Resource,TimeGenerated,UserIdentityType,Identity,ActorRole,UserIdentityAccountId,UserIdentityAccountName,RecipientAccountId,RecipientAccountName,SessionCreationDate,UserIdentityPrincipalid,UserIdentityArn,SourceIpAddress,EventSource,EventTypeName,ManagementEvent,ReadOnly,ErrorCode,ErrorMessage,ResponseElements,Resources,SessionMfaAuthenticated,UserAgent,AwsEventId
Operators
whereinextendtodynamichas_anyormv-expandiffisemptyarray_lengthpack_arraybag_keyscasedynamicisnotemptytake_anyunioninvokeproject