Suspicious activity

Anomaly detection: Role increased activity in accessing public s3 bucket with PII

Risk Level

Imminent Compromised (2)



Unlike in the past, the role has an increased activity in accessing s3 bucket. Furthermore it was found that the role changed the s3 bucket's policy to public access. This is an anomaly in this role's behavior and might indicate on an exfiltration attempt. An attacker might create a public bucket to share confidential information outside the environment. The s3 bucket mentioned contains PII.
  • Recommended Mitigation

    It is recommended to review relevant CloudTrail event and principal that issued this API call to determine if this is a legit activity.