Suspicious activity

S3 bucket with PII changed to public access

Risk Level

Imminent Compromised (2)



Orca detected that S3 bucket with PII data has changed to public access. This action might indicate on an exfiltration attempt, since exposing S3 bucket with sensitive information is bad practice. An attacker might change the bucket's policy to public in order to share confidential information outside the environment.
  • Recommended Mitigation

    It is recommended to review relevant CloudTrail event and principal that issued this API call to determine if this is a legit activity. Furthermore, it is highly recommended not to expose S3 buckets containing sensitive information.