Skip to content

S3 — Drift Coverage

Supported CloudTrail Events

Event Description Status
CreateBucket Bucket created
DeleteBucket Bucket deleted
PutBucketVersioning Versioning config changed
PutBucketEncryption Encryption config changed
DeleteBucketEncryption Encryption removed
PutBucketPolicy Bucket policy updated
DeleteBucketPolicy Bucket policy removed
PutBucketAcl ACL modified
PutBucketPublicAccessBlock Public access settings changed
PutBucketLogging Logging config changed
PutBucketLifecycle Lifecycle rules updated
PutBucketReplication Replication config changed

Monitored Drift Attributes

Bucket Configuration

  • versioning
  • enabled
  • mfa_delete
  • server_side_encryption_configuration
  • rule.apply_server_side_encryption_by_default
    • sse_algorithm (AES256 / aws:kms)
    • kms_master_key_id
  • lifecycle_rule
  • replication_configuration
  • logging
  • target_bucket
  • target_prefix

Access Control

  • policy (bucket policy JSON)
  • acl
  • public_access_block
  • block_public_acls
  • block_public_policy
  • ignore_public_acls
  • restrict_public_buckets

Advanced Features

  • cors_rule
  • website
  • object_lock_configuration

Falco Rule Examples

rule: s3_encryption_disabled
condition:
  cloud.service = "s3" and evt.name = "DeleteBucketEncryption"
output: "S3 Bucket Encryption Disabled (bucket=%resource user=%user)"
priority: critical

rule: s3_public_access_enabled
condition:
  cloud.service = "s3" and evt.name = "PutBucketPublicAccessBlock" and
  drift.changes.block_public_acls = false
output: "S3 Bucket Made Public (bucket=%resource user=%user)"
priority: critical

Example Log Output

{
  "service": "s3",
  "event": "PutBucketEncryption",
  "resource": "my-app-data-bucket",
  "changes": {
    "sse_algorithm": ["AES256", "aws:kms"],
    "kms_master_key_id": [null, "arn:aws:kms:us-east-1:123456789012:key/abc-123"]
  },
  "user": "admin@example.com",
  "timestamp": "2025-12-06T07:30:00Z"
}

Grafana Dashboard Examples

Metrics

  • S3 encryption changes by bucket
  • Public access modifications
  • Bucket policy updates
  • Lifecycle rule changes

Alerts

  • Unplanned encryption removal
  • Public bucket exposure
  • Cross-account bucket policy changes

Known Limitations

  • Object-level logging requires S3 data events (not enabled by default in CloudTrail)
  • Intelligent-Tiering configuration drift partial
  • S3 Object Lock WORM settings tracked but not validated against compliance rules
  • Cross-region replication status not real-time (eventual consistency)

Security Considerations

S3 drift detection is critical for compliance: - Encryption removal → data security violation - Public access → potential data leak - Bucket policy changes → unauthorized access

Recommendation: Enable S3 Object-level logging for production buckets.

Release History

  • v0.2.0-beta: Core S3 bucket configuration (12 events)
  • v0.3.0 (planned): Object-level drift, Access Point support