New Threat Stack Feature: S3 File Integrity Monitoring

Threat Stack customers receive a great deal of value from our Linux File Integrity Monitoring (FIM), and we have now extended that capability to S3.

Many of our AWS customers are storing their critical files on S3, and for various security and compliance reasons, those files need to be monitored to see if any are being accessed, altered, or deleted.

To help ensure the integrity of the files in S3 buckets, Threat Stack now supports alerting on access and changes to files in specific buckets. AWS now has capabilities for putting object level access into CloudTrail events, and we have added rules to our base rule set to support that feature.

Event Names and User Actions

To create rules that monitor on particular actions on files, customers can use the associated CloudTrail name in their Threat Stack rules. The following table lists Event Names that are generated when specific User Actions occur.

User Action CloudTrail Event Name
Download a file in a bucket GetObject
Delete a file or upload a new file in a bucket PutObject
Access the bucket ListObjects
Access the policy of a bucket GetObjectAcl
Upload a new policy on a bucket PutObjectAcl
Access meta data on a bucket HeadObject

New Threat Stack FIM Features


The Threat Stack base rule set has been updated to alert when files in critical buckets are accessed or deleted:

eventName = “PutObjectAcl” or eventName = “GetObjectAcl” or eventName = “GetObject” or eventName = “PutObject” or eventName = “ListObjects” or eventName = “HeadObject”) and bucketName = “xxx”  

Customers  need to replace xxx with the bucket name that they want to monitor.


In addition to creating alerts, customers can also search on corresponding events:



Final Word . . .

We’re continually adding to and improving the Threat Stack intrusion detection platform. Stay tuned to our blog to learn about new and enhanced features as they are released.