PutBucketPublicAccessBlock
Event
Modifies S3 bucket public access block settings, potentially disabling protections to allow public data exposure.
Security Context
- Disabling public access block settings removes the guardrails that prevent S3 buckets from being made public, enabling data exposure through subsequent ACL or policy changes.
- This is a prerequisite step in many data exfiltration chains — adversaries first remove the public access block, then modify bucket policies or ACLs to expose sensitive data.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Defense Evasion
Techniques:
- T1562 — Impair Defenses — Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify...