PutBucketPolicy
AWS
PutBucketPolicy
Event
Applies or replaces the resource-based policy on an S3 bucket, defining who can access it and how.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Exfiltration through cloud services allows adversaries to extract data using legitimate APIs that may not trigger network-based alerts.
Log Source
CloudTrail
Sample Event
Adversarial — exfiltration / persistence. Draco applies a permissive bucket policy to fantasticlogs-niffler-archive allowing the adversary-controlled external account 555666661337 to s3:GetObject and s3:ListBucket on the entire bucket. This bypasses any IAM-based access controls in the prod account — a third-party with the bucket name now has read access without needing any identity in 555123456789. T1685 + T1530.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T21:42:08Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T23:39:21Z", "eventSource": "s3.amazonaws.com", "eventName": "PutBucketPolicy", "awsRegion": "us-west-2", "sourceIPAddress": "203.0.113.66", "userAgent": "[aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6]", "requestParameters": { "bucketName": "fantasticlogs-niffler-archive", "Host": "fantasticlogs-niffler-archive.s3.us-west-2.amazonaws.com", "policy": [ "" ], "bucketPolicy": { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowExternalReadAccess", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::555666661337:root" }, "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::fantasticlogs-niffler-archive", "arn:aws:s3:::fantasticlogs-niffler-archive/*" ] } ] } }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000101100100", "eventID": "90000000-0000-4000-8000-000101100101", "readOnly": false, "resources": [ { "accountId": "555123456789", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::fantasticlogs-niffler-archive" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "fantasticlogs-niffler-archive.s3.us-west-2.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment Exfiltration Collection
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...
- T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.
- T1537 — Transfer Data to Cloud Account — Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.