Description

Unlike in the past, the role has an increased activity in accessing s3 bucket. Furthermore it was found that the role changed the s3 bucket's policy to public access. This is an anomaly in this role's behavior and might indicate on an exfiltration attempt. An attacker might create a public bucket to share confidential information outside the environment. The s3 bucket mentioned contains PII.

• 

  Recommended Mitigation

  It is recommended to review relevant CloudTrail event and principal that issued this API call to determine if this is a legit activity.