ThreatReaction
🛡Threat Reaction|Documentation

Buckets

The Buckets page manages S3 buckets registered for anomaly-based monitoring. Unlike GuardDuty findings (which are event-driven), the bucket detector uses a sliding time window to accumulate S3 operation counts and byte volumes, triggering alerts when an entity's activity deviates from its baseline.

In the app: /buckets

How the Detector Works

S3 object-level events (enabled via CloudTrail data events) are delivered to an SQS queue and processed in batches by the EventsProcessor Lambda. For each event, the Lambda:

  1. Identifies the actor (source IP or IAM principal) and the bucket.
  2. Reads the entity's rolling operation count and byte total from DynamoDB for the current time window.
  3. Increments the counters and writes them back.
  4. Compares the counters against the anomaly threshold. If exceeded, an event is written with type S3DataExfiltration, RansomwareWrite, RansomwareDelete, or RansomwareEnumeration.
  5. If the corresponding ThreatReaction detector is set to BLOCK, the actor is blocked immediately.

Bucket List

All S3 buckets registered for monitoring appear in this list. Only registered buckets have their data events forwarded through the SQS pipeline. Buckets not in this list are not monitored by the anomaly detector, even if CloudTrail is capturing their data events.

Adding a Bucket

Enter the bucket name (not the ARN, not the S3 URL — just the name). Prerequisites:

  • S3 data event logging must be enabled in CloudTrail for the bucket (CloudTrail → Data events → S3).
  • The CloudTrail trail must be in the same region as the Threat Reaction stack.
  • The SQS queue ARN configured in your stack must match what CloudTrail is delivering to.

Anomaly Types

Four detector types run on S3 events:

S3DataExfiltration

High GetObject volume or byte transfer from a bucket. Indicates data being downloaded at an unusual rate — characteristic of credential theft or insider threat.

RansomwareWrite

High PutObject volume with unusual file extensions (e.g., .encrypted, .locked) or a pattern of overwriting existing objects. Indicates possible ransomware encrypting bucket contents.

RansomwareDelete

Mass DeleteObject operations exceeding the threshold in the detection window. Indicates possible ransomware or destructive actor attempting to wipe bucket contents.

RansomwareEnumeration

High ListObjects rate suggesting a reconnaissance sweep — an actor cataloging bucket contents before exfiltration or encryption.

Anomaly Thresholds

The detection thresholds (operation count and byte volume per time window) are configured in the CloudFormation stack parameters. The defaults are tuned for a typical production bucket. High-throughput data pipelines may need higher thresholds to avoid false positives — adjust the CloudFormation parameter and update the stack.

Removing a Bucket

Removing a bucket from the list stops the Lambda from processing new SQS events for that bucket. Existing anomaly events for that bucket remain in DynamoDB. You may also want to disable CloudTrail data event logging for the bucket to avoid unnecessary SQS messages.

⚠️ Warning

Enabling CloudTrail S3 data events on high-volume buckets can generate millions of events per day and incur significant CloudTrail costs ($0.10 per 100K events). Start with your most sensitive buckets and monitor CloudTrail costs before adding high-volume buckets.

💡 Tip

Run the detector in REPORT mode for 1–2 weeks on a new bucket to observe baseline activity patterns before switching to BLOCK. This prevents false-positive blocks on legitimate bulk operations like ETL jobs or data migrations.

ℹ️ Note

The anomaly detector tracks activity per entity (actor IP or IAM principal), not per bucket globally. A single legitimate ETL role performing bulk operations will not trigger alerts for unrelated actors accessing the same bucket.