Volver al hub

AWS S3 Bucket Policy Updates

This query outputs all S3 buckets where the policy has been modified.

Cloudmonitoring
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read

Query

#Vendor="aws" #event.dataset="cloudtrail.s3" #repo!="xdr*"
| #event.kind="event" #event.outcome="success"
| event.action="PutBucketPolicy"
| cloud.Storage.bucket_name =~ in(values=[?BucketName])
| cloud.account.id =~ in(values=[?AwsAccount])
| UserARN := getField("Vendor.userIdentity.arn")
| BucketName := getField("cloud.Storage.bucket_name")
| select(["@timestamp","BucketName", "UserARN"])

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.