The expected behavior would be for IAM entities to interact with S3 using standard, approved methods without triggering any unusual behavior alerts in AWS Security Hub or GuardDuty.
Actual Behavior
IAM entities are invoking S3 API calls in an unusual manner, triggering alerts related to Exfiltration:S3/AnomalousBehavior in AWS Security Hub. This behavior is specifically related to the bastion module interaction with S3 in the pra-register-production environment.
Expected Behavior
The expected behavior would be for IAM entities to interact with S3 using standard, approved methods without triggering any unusual behavior alerts in AWS Security Hub or GuardDuty.
Actual Behavior
IAM entities are invoking S3 API calls in an unusual manner, triggering alerts related to Exfiltration:S3/AnomalousBehavior in AWS Security Hub. This behavior is specifically related to the
bastion module
interaction with S3 in thepra-register-production
environment.https://mojdt.slack.com/archives/C01A7QK5VM1/p1711550490256409
Steps to Reproduce the Problem
No response
Version
No response
Modules
Bastion Module
Account
pra-register-production