detecting-s3-data-exfiltration-attempts

# Detecting S3 Data Exfiltration Attempts ## When to Use - When GuardDuty detects anomalous S3 access patterns such as bulk downloads from unusual IPs - When investigating suspected data breach involving S3-stored sensitive data - When building detection rules for S3 data loss prevention monitoring - When responding to Macie alerts about sensitive data being accessed or moved - When compliance requires monitoring and logging of all access to classified data stores **Do not use** for preventing data exfiltration (use S3 bucket policies, VPC endpoints, and SCPs), for data classification (use Amazon Macie discovery jobs), or for network-level exfiltration detection (use VPC Flow Logs with network analysis tools). ## Prerequisites - CloudTrail configured with S3 data event logging (`GetObject`, `PutObject`, `CopyObject`) - GuardDuty enabled with S3 Protection feature activated - Amazon Macie enabled for sensitive data discovery in target buckets - CloudWatch Logs or Athena for querying CloudTrail logs at scale - VPC endpoint policies configured for S3 access monitoring ## Workflow ### Step 1: Enable S3 Data Event Logging in CloudTrail Configure CloudTrail to capture all S3 object-level operations for forensic analysis. ```bash # Enable S3 data events on an existing trail aws cloudtrail put-event-selectors \ --trail-name management-trail \ --event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [{ "Type": "AWS:...