This event detects the creation of a new AWS S3 bucket.
Why this Event is Important
Creating an S3 bucket is one of the methods to get access to a user’s AWS environment. If an attacker is able to create a bucket, it is possible for the attacker to inject malicious files in the environment. One such scenario is if S3 buckets are spawned out of storage requirements and are bound to a particular domain. Sometimes these buckets are not deleted after they have served their purpose, which may escalate to a complete takeover of a host’s subdomain.
Look for logs when a S3 bucket is created. Developers or IT engineers scrutinize their organization’s DNS records every time there is a termination of a S3 bucket. This ensures there are no DNS/CNAME entries that point to non-existent S3 buckets, which could potentially be exploited.
Ensure that only administrators or users with certain privileges are able to create the S3 bucket.
Audit the created S3 buckets.