High Severity Issue in AWS Security Hub #6671

sukeshreddyg · 2024-04-02T15:23:39Z

Expected Behavior

The expected behavior would be for IAM entities to interact with S3 using standard, approved methods without triggering any unusual behavior alerts in AWS Security Hub or GuardDuty.

Actual Behavior

IAM entities are invoking S3 API calls in an unusual manner, triggering alerts related to Exfiltration:S3/AnomalousBehavior in AWS Security Hub. This behavior is specifically related to the bastion module interaction with S3 in the pra-register-production environment.

https://mojdt.slack.com/archives/C01A7QK5VM1/p1711550490256409

Steps to Reproduce the Problem

No response

Version

No response

Modules

Bastion Module

Account

pra-register-production

The text was updated successfully, but these errors were encountered:

SimonPPledger · 2024-04-11T09:22:58Z

Sukesh to talk to App team - and suggest it is monitored

sukeshreddyg · 2024-05-22T15:01:26Z

Discussed this with the user. If they encounter something like this in the future, I asked them to inform us or raise the issue in the ask channel.

sukeshreddyg added bug Something isn't working needs refining security labels Apr 2, 2024

SimonPPledger assigned SimonPPledger and sukeshreddyg May 7, 2024

sukeshreddyg closed this as completed May 22, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

High Severity Issue in AWS Security Hub #6671

High Severity Issue in AWS Security Hub #6671

sukeshreddyg commented Apr 2, 2024

SimonPPledger commented Apr 11, 2024

sukeshreddyg commented May 22, 2024

High Severity Issue in AWS Security Hub #6671

High Severity Issue in AWS Security Hub #6671

Comments

sukeshreddyg commented Apr 2, 2024

Expected Behavior

Actual Behavior

Steps to Reproduce the Problem

Version

Modules

Account

SimonPPledger commented Apr 11, 2024

sukeshreddyg commented May 22, 2024