Detecting S3 Data Exfiltration Attempts

When to Use

• When GuardDuty detects anomalous S3 access patterns such as bulk downloads from unusual IPs
• When investigating suspected data breach involving S3-stored sensitive data
• When building detection rules for S3 data loss prevention monitoring
• When responding to Macie alerts about sensitive data being accessed or moved
• When compliance requires monitoring and logging of all access to classified data stores

Do not use for preventing data exfiltration (use S3 bucket policies, VPC endpoints, and SCPs), for data classification (use Amazon Macie discovery jobs), or for network-level exfiltration detection (use VPC Flow Logs with network analysis tools).

Prerequisites

• CloudTrail configured with S3 data event logging (GetObject, PutObject, CopyObject)
• GuardDuty enabled with S3 Protection feature activated
• Amazon Macie enabled for sensitive data discovery in target buckets
• CloudWatch Logs or Athena for querying CloudTrail logs at scale
• VPC endpoint policies configured for S3 access monitoring