GuardDuty S3 Protection Finding Types
Threat detection for S3 buckets and data
AWS GuardDuty S3 Protection finding types detecting threats against S3 buckets and data through CloudTrail S3 data events and management events, including discovery, exfiltration, policy modifications, and malicious access attempts
Overview
S3 Protection monitors object-level S3 APIs and bucket configurations to detect discovery, exfiltration, policy modifications, and unauthorized access. Uses ML anomaly detection and threat intelligence to identify suspicious S3 activity patterns.
When Generated:
- S3 API calls from malicious IPs or Tor nodes
- Unusual S3 object reads for exfiltration (ML-detected)
- Unusual S3 object deletions (ML-detected)
- S3 bucket permissions modified unusually (ML-detected)
- S3 bucket made publicly accessible
- S3 block public access disabled
- S3 server access logging disabled
- S3 APIs from penetration testing tools
Security Relevance:
HighCompliance:
Frequency Notes:
S3 findings vary widely - discovery/enumeration (50-200/hour), exfiltration attempts (10-50/hour), policy changes (5-20/day), public exposure events (1-10/day). Frequency scales with S3 API volume and data access patterns.
Resources
Documentation
- S3 Protection Finding Types official
- Remediating Compromised S3 Bucket official
Generation Configuration
Field Definitions
Complete field reference for this event type with data types, descriptions, and example values.
| Field Name | Type | Required | Format | Description | Example | Possible Values |
|---|---|---|---|---|---|---|
|
detail.type
|
String | Required | — | S3 Protection finding type |
Exfiltration:S3/ObjectRead.Unusual
|
— |
|
detail.resource.s3BucketDetails
|
Array | Required | — | Details about S3 buckets involved in finding |
[{name, arn, type, owner, tags, publicAccess}]
|
— |
|
detail.service.action.awsApiCallAction.api
|
String | Required | — | S3 API operation invoked |
GetObject
|
— |
|
detail.severity
|
Integer | Required | — | Finding severity (2=Low, 5=Medium, 8=High) |
5
|
— |