Detects AWS S3 data exfiltration attempts by analyzing CloudTrail S3 data events, VPC Flow Logs, GuardDuty findings, Macie alerts, and access patterns for unauthorized bulk downloads and cross-account transfers.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- GuardDuty 检测到异常的 S3 访问模式(如来自不寻常 IP 的批量下载)时
Detects S3 data exfiltration attempts by analyzing CloudTrail S3 events, VPC Flow Logs, GuardDuty findings, Macie alerts, and access patterns to identify bulk downloads and cross-account transfers. Useful for breach investigations and compliance monitoring.
Detects S3 data exfiltration via CloudTrail events, GuardDuty findings, Macie alerts, VPC logs, and access patterns for bulk downloads and cross-account transfers.
Remediates Amazon S3 bucket misconfigurations exposing sensitive data via Block Public Access enablement at account/bucket levels, policy/ACL audits, encryption enforcement, access logging, and AWS Config/Lambda automation.
Share bugs, ideas, or general feedback.
不适用于:防止数据泄露(使用 S3 存储桶策略、VPC 端点和 SCP)、数据分类(使用 Amazon Macie 发现作业),或网络层面的泄露检测(使用 VPC Flow Logs 配合网络分析工具)。
GetObject、PutObject、CopyObject)配置 CloudTrail 捕获所有 S3 对象级别操作,用于取证分析。
# 在现有跟踪上启用 S3 数据事件
aws cloudtrail put-event-selectors \
--trail-name management-trail \
--event-selectors '[{
"ReadWriteType": "All",
"IncludeManagementEvents": true,
"DataResources": [{
"Type": "AWS::S3::Object",
"Values": ["arn:aws:s3:::sensitive-data-bucket/", "arn:aws:s3:::customer-records/"]
}]
}]'
# 验证数据事件配置
aws cloudtrail get-event-selectors --trail-name management-trail \
--query 'EventSelectors[*].DataResources' --output json
# 启用 GuardDuty S3 Protection
aws guardduty update-detector \
--detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
--data-sources '{"S3Logs":{"Enable":true}}'
分析 CloudTrail 日志,识别批量下载活动、异常访问时间和不熟悉的来源 IP。
# Athena 查询:过去 24 小时内按下载量排名的 S3 用户
cat << 'EOF'
SELECT
useridentity.arn as principal,
sourceipaddress,
COUNT(*) as request_count,
SUM(CAST(json_extract_scalar(requestparameters, '$.bytesTransferredOut') AS bigint)) as bytes_downloaded
FROM cloudtrail_logs
WHERE eventname = 'GetObject'
AND eventsource = 's3.amazonaws.com'
AND eventtime > date_add('hour', -24, now())
GROUP BY useridentity.arn, sourceipaddress
ORDER BY request_count DESC
LIMIT 50
EOF
# CloudWatch Logs Insights:来自异常 IP 的 S3 GetObject 请求
aws logs start-query \
--log-group-name cloudtrail-logs \
--start-time $(date -d "24 hours ago" +%s) \
--end-time $(date +%s) \
--query-string '
fields @timestamp, userIdentity.arn, sourceIPAddress, requestParameters.bucketName, requestParameters.key
| filter eventName = "GetObject"
| stats count() as requestCount by sourceIPAddress, userIdentity.arn
| sort requestCount desc
| limit 25
'
# 检测跨账户复制(潜在数据泄露)
aws logs start-query \
--log-group-name cloudtrail-logs \
--start-time $(date -d "7 days ago" +%s) \
--end-time $(date +%s) \
--query-string '
fields @timestamp, userIdentity.arn, sourceIPAddress, requestParameters.bucketName
| filter eventName in ["CopyObject", "ReplicateObject", "UploadPart"]
| filter userIdentity.accountId != "OUR_ACCOUNT_ID"
| sort @timestamp desc
| limit 100
'
检查表示泄露活动的 GuardDuty S3 专项发现类型。
# 列出活跃的 S3 数据泄露相关发现
aws guardduty list-findings \
--detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
--finding-criteria '{
"Criterion": {
"type": {
"Eq": [
"Exfiltration:S3/MaliciousIPCaller",
"Exfiltration:S3/ObjectRead.Unusual",
"Discovery:S3/MaliciousIPCaller.Custom",
"Discovery:S3/BucketEnumeration.Unusual",
"UnauthorizedAccess:S3/MaliciousIPCaller.Custom",
"UnauthorizedAccess:S3/TorIPCaller",
"Impact:S3/AnomalousBehavior.Delete"
]
}
}
}' --output json
# 获取详细发现信息
aws guardduty get-findings \
--detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
--finding-ids FINDING_IDS \
--query 'Findings[*].{Type:Type,Severity:Severity,Resource:Resource.S3BucketDetails[0].Name,Action:Service.Action}' \
--output table
审查 Macie 发现,将数据敏感性与访问异常进行关联。
# 列出关于敏感数据暴露的 Macie 发现
aws macie2 list-findings \
--finding-criteria '{
"criterion": {
"category": {"eq": ["CLASSIFICATION"]},
"severity.description": {"eq": ["High", "Critical"]}
}
}' \
--sort-criteria '{"attributeName": "updatedAt", "orderBy": "DESC"}' \
--max-results 25
# 获取含数据分类的详细发现
aws macie2 get-findings \
--finding-ids FINDING_IDS \
--query 'findings[*].{Type:type,Severity:severity.description,Bucket:resourcesAffected.s3Bucket.name,SensitiveDataTypes:classificationDetails.result.sensitiveData[*].category}' \
--output table
# 对目标存储桶运行敏感数据发现作业
aws macie2 create-classification-job \
--job-type ONE_TIME \
--name "exfiltration-investigation" \
--s3-job-definition '{
"bucketDefinitions": [{
"accountId": "ACCOUNT_ID",
"buckets": ["sensitive-data-bucket"]
}]
}'
创建 CloudWatch 告警和 EventBridge 规则用于实时泄露检测。
# 高容量 S3 下载的 CloudWatch 指标过滤器
aws logs put-metric-filter \
--log-group-name cloudtrail-logs \
--filter-name s3-bulk-download \
--filter-pattern '{$.eventName = "GetObject" && $.eventSource = "s3.amazonaws.com"}' \
--metric-transformations '[{
"metricName": "S3GetObjectCount",
"metricNamespace": "SecurityMetrics",
"metricValue": "1",
"defaultValue": 0
}]'
# 异常下载量告警(每小时超过 1000 个对象)
aws cloudwatch put-metric-alarm \
--alarm-name s3-exfiltration-alert \
--metric-name S3GetObjectCount \
--namespace SecurityMetrics \
--statistic Sum \
--period 3600 \
--threshold 1000 \
--comparison-operator GreaterThanThreshold \
--evaluation-periods 1 \
--alarm-actions arn:aws:sns:us-east-1:ACCOUNT:security-alerts
# GuardDuty S3 发现的 EventBridge 规则
aws events put-rule \
--name guardduty-s3-exfiltration \
--event-pattern '{
"source": ["aws.guardduty"],
"detail-type": ["GuardDuty Finding"],
"detail": {
"type": [{"prefix": "Exfiltration:S3/"}]
}
}'
部署存储桶策略和 VPC 端点策略,限制数据移动路径。
# 将 S3 访问限制为特定存储桶的 VPC 端点策略
aws ec2 modify-vpc-endpoint \
--vpc-endpoint-id vpce-ENDPOINT_ID \
--policy-document '{
"Statement": [{
"Sid": "RestrictToOwnBuckets",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": ["arn:aws:s3:::approved-bucket-1/*", "arn:aws:s3:::approved-bucket-2/*"]
}]
}'
# 拒绝来自 VPC 外部访问的存储桶策略
aws s3api put-bucket-policy --bucket sensitive-data-bucket --policy '{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyNonVpcAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::sensitive-data-bucket/*",
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-ENDPOINT_ID"
}
}
}]
}'
| 术语 | 定义 |
|---|---|
| S3 数据事件(S3 Data Events) | CloudTrail 对象级别日志记录,捕获 GetObject、PutObject、DeleteObject 和 CopyObject API 调用及请求详情 |
| GuardDuty S3 Protection | 威胁检测功能,分析 CloudTrail S3 数据事件以识别异常访问模式和泄露企图 |
| Amazon Macie | 数据安全服务,在 S3 中发现和分类敏感数据,并为数据暴露风险生成发现 |
| VPC 端点策略(VPC Endpoint Policy) | S3 VPC 端点上的访问控制策略,限制可通过端点访问哪些存储桶和操作 |
| 数据泄露(Data Exfiltration) | 未授权地将数据从组织的 S3 存储传输到攻击者控制的外部位置 |
| 异常行为检测(Anomalous Behavior Detection) | 基于机器学习识别主体 S3 访问模式中偏离既定基线的异常 |
场景背景:GuardDuty 报告 Exfiltration:S3/ObjectRead.Unusual 发现,显示一名开发者的访问密钥在凌晨 3 点从境外 IP 地址下载了敏感数据存储桶中的数千个对象。
方法:
常见陷阱:CloudTrail S3 数据事件可能产生海量日志。对于跨越 24 小时以上的查询,应使用分区表的 Athena 而非 CloudWatch Logs Insights。GuardDuty 基线学习需要 7-14 天,因此新账户的正常访问模式可能会产生误报。
S3 数据泄露调查报告
============================================
账户: 123456789012
检测来源: GuardDuty Exfiltration:S3/ObjectRead.Unusual
调查日期: 2026-02-23
事件时间线:
2026-02-23 02:47 UTC - 首次来自 185.x.x.x 的异常 GetObject 请求
2026-02-23 02:47-04:12 UTC - 12,847 次 GetObject 请求
2026-02-23 04:15 UTC - GuardDuty 发现生成
2026-02-23 04:20 UTC - PagerDuty 告警发送至 SOC
2026-02-23 04:25 UTC - 访问密钥已停用
被入侵主体:
ARN: arn:aws:iam::123456789012:user/developer-jane
访问密钥: AKIA...WXYZ
来源 IP: 185.x.x.x(Tor 出口节点)
数据影响评估:
访问的存储桶: 3 个
下载的对象: 12,847 个
总数据量: 4.7 GB
敏感数据类型: PII(SSN、电子邮件)、金融数据(信用卡号)
Macie 严重级别: 严重
遏制操作:
[x] 访问密钥已停用
[x] 用户密码已重置,MFA 已重新注册
[x] VPC 端点策略已应用于敏感存储桶
[x] 存储桶策略已限制为仅 VPC 访问
[x] TruffleHog 扫描已对开发者仓库启动