AWS S3 Credential File Retrieved from Bucket

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS S3 Credential File Retrieved from Bucket

Detects successful S3 GetObject calls targeting high-value credential and secret files commonly stored in S3 buckets: AWS credentials files (".aws/credentials", ".aws/config"), SSH private keys ("id_rsa", "id_ed25519", "id_ecdsa", "id_dsa"), environment files (".env"), PEM and PuTTY key files, and other private key patterns. These file types are high-yield targets for credential harvesting from S3. The rule excludes AWSService identity type to suppress S3 replication, Glacier restore, and other AWS-internal data movement that legitimately reads these files.

Rule type: query

Rule indices:

filebeat-*
logs-aws.cloudtrail-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html

Tags:

Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS S3
Use Case: Identity and Access Audit
Tactic: Credential Access
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating AWS S3 Credential File Retrieved from Bucket

S3 is frequently used to store configuration files, scripts, and secrets. When files with credential-like names are accessed, it warrants investigation to ensure that the retrieval was authorized.

Possible investigation steps

Identify the accessed file: Review aws.cloudtrail.request_parameters for the bucket name and key. Determine whether the bucket is intended to store secrets.
Verify the caller: Inspect aws.cloudtrail.user_identity.arn and source.ip. If the caller is not an approved automation role, escalate immediately.
Check bucket permissions: Determine if the bucket is publicly accessible or if the key naming pattern was intentionally exposed.
Look for downstream actions: Search for subsequent IAM, STS, or console actions from the same identity shortly after the object retrieval, which may indicate successful credential use.

False positive analysis

Legitimate backup or restore processes may access credential files stored in S3 as part of their workflow. Validate the calling identity and user agent against known automation accounts.
CI/CD pipelines that retrieve secrets from S3 during deployment may trigger this rule. Verify the source IP and ARN match expected automation infrastructure.

Response and remediation

Immediately disable the access key identified in aws.cloudtrail.user_identity.access_key_id if the retrieval is determined to be unauthorized.
Audit the S3 bucket for overly permissive policies or public access configurations.
Rotate any credentials stored in the accessed object — treat them as compromised.
Review all CloudTrail events from the same identity in the preceding 30 minutes for signs of lateral movement, IAM changes, or resource creation.
Implement S3 bucket policies or IAM conditions restricting access to credential files to only authorized identities and source IPs.

Setup

edit

S3 data event logging is required for this rule. This rule detects S3 GetObject events, which are data plane events not logged by default. To enable: CloudTrail console → Trails → [trail name] → Data events → Add S3 → select the buckets to monitor (or all buckets with a wildcard). Without this configuration, the rule produces no alerts.

Refer to the AWS documentation on logging data events for detailed steps.

Rule query

edit

data_stream.dataset: "aws.cloudtrail" and
    event.provider: "s3.amazonaws.com" and
    event.action: "GetObject" and
    event.outcome: "success" and
    aws.cloudtrail.flattened.request_parameters.key: (
        */.aws/credentials or
        */.aws/config or
        */id_rsa or
        */id_ed25519 or
        */id_ecdsa or
        */id_dsa or
        */.env or
        */.env.* or
        *.ppk or
        *.pem or
        *.key or
        *private_key* or
        */.ssh/authorized_keys
    ) and
    not aws.cloudtrail.user_identity.type: "AWSService"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Unsecured Credentials
- ID: T1552
- Reference URL: https://attack.mitre.org/techniques/T1552/
Sub-technique:
- Name: Credentials In Files
- ID: T1552.001
- Reference URL: https://attack.mitre.org/techniques/T1552/001/
Tactic:
- Name: Collection
- ID: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
Technique:
- Name: Data from Cloud Storage
- ID: T1530
- Reference URL: https://attack.mitre.org/techniques/T1530/

« Azure Run Command Correlated with Process Execution Entra ID Kali365 Default User-Agent Detected »