PutBucketAcl
AWS
PutBucketAcl
Event
Sets the Access Control List (ACL) for an S3 bucket, controlling access for specific AWS accounts or predefined groups.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Exfiltration through cloud services allows adversaries to extract data using legitimate APIs that may not trigger network-based alerts.
Log Source
CloudTrail
Sample Event
Adversarial — exfiltration / defense impairment. Draco applies the public-read canned ACL to the NIFFLER archive bucket (fantasticlogs-niffler-archive), making every object readable by anonymous principals. Combined with the PutBucketPublicAccessBlock he removed earlier (see that draft), this exposes the full PII partition to the public internet. T1685 + T1530.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T21:42:08Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T23:18:42Z", "eventSource": "s3.amazonaws.com", "eventName": "PutBucketAcl", "awsRegion": "us-west-2", "sourceIPAddress": "203.0.113.66", "userAgent": "[aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6]", "requestParameters": { "bucketName": "fantasticlogs-niffler-archive", "Host": "fantasticlogs-niffler-archive.s3.us-west-2.amazonaws.com", "x-amz-acl": [ "public-read" ], "acl": [ "" ] }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000101011110", "eventID": "90000000-0000-4000-8000-000101011111", "readOnly": false, "resources": [ { "accountId": "555123456789", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::fantasticlogs-niffler-archive" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "fantasticlogs-niffler-archive.s3.us-west-2.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment Exfiltration Collection
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...
- T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.
- T1537 — Transfer Data to Cloud Account — Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.