New Threat Stack Feature: S3 File Integrity Monitoring

Threat Stack customers receive a great deal of value from our Linux File Integrity Monitoring (FIM), and we have now extended that capability to S3.

Many of our AWS customers are storing their critical files on S3, and for various security and compliance reasons, those files need to be monitored to see if any are being accessed, altered, or deleted.

To help ensure the integrity of the files in S3 buckets, Threat Stack now supports alerting on access and changes to files in specific buckets. AWS now has capabilities for putting object level access into CloudTrail events, and we have added rules to our base rule set to support that feature.

Event Names and User Actions

To create rules that monitor on particular actions on files, customers can use the associated CloudTrail name in their Threat Stack rules. The following table lists Event Names that are generated when specific User Actions occur.

User Action

CloudTrail Event Name

Download a file in a bucket


Delete a file or upload a new file in a bucket


Access the bucket


Access the policy of a bucket


Upload a new policy on a bucket


Access meta data on a bucket


New Threat Stack FIM Features


The Threat Stack base rule set has been updated to alert when files in critical buckets are accessed or deleted:

eventName = “PutObjectAcl” or eventName = “GetObjectAcl” or eventName = “GetObject” or eventName = “PutObject” or eventName = “ListObjects” or eventName = “HeadObject”) and bucketName = “xxx”  

Customers  need to replace xxx with the bucket name that they want to monitor.


In addition to creating alerts, customers can also search on corresponding events:



Final Word . . .

We’re continually adding to and improving the Threat Stack Cloud Security Platform®. Stay tuned to our blog to learn about new and enhanced features as they are released.