Skip to content

PutBucketPublicAccessBlock

AWS

PutBucketPublicAccessBlock

service: AWS - S3
techniques:

Event

Modifies S3 bucket public access block settings, potentially disabling protections to allow public data exposure.

Security Context

  • Disabling public access block settings removes the guardrails that prevent S3 buckets from being made public, enabling data exposure through subsequent ACL or policy changes.
  • This is a prerequisite step in many data exfiltration chains — adversaries first remove the public access block, then modify bucket policies or ACLs to expose sensitive data.

Log Source

CloudTrail

Sample Event

Adversarial — defense impairment (precursor). Draco disables the S3 block-public-access guardrails on fantasticlogs-niffler-archive by setting all four booleans to false. Without this, the subsequent PutBucketAcl (public-read) and PutBucketPolicy (allow external account) calls would have been blocked at the S3 layer regardless of bucket-level policy. This is the prerequisite step in many S3 exposure chains. T1685.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T21:42:08Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T23:15:33Z",
"eventSource": "s3.amazonaws.com",
"eventName": "PutBucketPublicAccessBlock",
"awsRegion": "us-west-2",
"sourceIPAddress": "203.0.113.66",
"userAgent": "[aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6]",
"requestParameters": {
"bucketName": "fantasticlogs-niffler-archive",
"Host": "fantasticlogs-niffler-archive.s3.us-west-2.amazonaws.com",
"publicAccessBlock": [
""
],
"PublicAccessBlockConfiguration": {
"xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
"BlockPublicAcls": false,
"IgnorePublicAcls": false,
"BlockPublicPolicy": false,
"RestrictPublicBuckets": false
}
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000101100110",
"eventID": "90000000-0000-4000-8000-000101100111",
"readOnly": false,
"resources": [
{
"accountId": "555123456789",
"type": "AWS::S3::Bucket",
"ARN": "arn:aws:s3:::fantasticlogs-niffler-archive"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "fantasticlogs-niffler-archive.s3.us-west-2.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...