PutBucketPublicAccessBlock
AWS
PutBucketPublicAccessBlock
Event
Modifies S3 bucket public access block settings, potentially disabling protections to allow public data exposure.
Security Context
- Disabling public access block settings removes the guardrails that prevent S3 buckets from being made public, enabling data exposure through subsequent ACL or policy changes.
- This is a prerequisite step in many data exfiltration chains — adversaries first remove the public access block, then modify bucket policies or ACLs to expose sensitive data.
Log Source
CloudTrail
Sample Event
Adversarial — defense impairment (precursor). Draco disables the S3 block-public-access guardrails on fantasticlogs-niffler-archive by setting all four booleans to false. Without this, the subsequent PutBucketAcl (public-read) and PutBucketPolicy (allow external account) calls would have been blocked at the S3 layer regardless of bucket-level policy. This is the prerequisite step in many S3 exposure chains. T1685.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T21:42:08Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T23:15:33Z", "eventSource": "s3.amazonaws.com", "eventName": "PutBucketPublicAccessBlock", "awsRegion": "us-west-2", "sourceIPAddress": "203.0.113.66", "userAgent": "[aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6]", "requestParameters": { "bucketName": "fantasticlogs-niffler-archive", "Host": "fantasticlogs-niffler-archive.s3.us-west-2.amazonaws.com", "publicAccessBlock": [ "" ], "PublicAccessBlockConfiguration": { "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/", "BlockPublicAcls": false, "IgnorePublicAcls": false, "BlockPublicPolicy": false, "RestrictPublicBuckets": false } }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000101100110", "eventID": "90000000-0000-4000-8000-000101100111", "readOnly": false, "resources": [ { "accountId": "555123456789", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::fantasticlogs-niffler-archive" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "fantasticlogs-niffler-archive.s3.us-west-2.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...