S3 ACCESS MONITORING

Every S3 request, mapped end-to-end

See exactly which IAM roles hit which buckets, prefixes, and operations, down to the object level. No sampling. No blind spots. No agents.

THE PROBLEM

You don't actually know who's accessing your S3

CloudTrail is sampled and lossy

High-volume access patterns get compressed. New principals appear without context. You find out what happened on your AWS bill.

IaC drifts silently

Terraform applies happen at odd hours, some get rolled back. Live access diverges from declared infra and nobody notices until an audit.

New services start writing without warning

A new role appears, dumps 8 TB to a bucket nobody owns, and you see it on the AWS bill, three weeks later.

"We watch actual behavior, not just config. That's a completely different signal."

HI

Head of Infrastructure Security

E-commerce, $400M ARR

WHAT RECOST SHOWS YOU

Object-level visibility, from every direction.

IAM Sankey
RoleActionBucketRequests
glue-etl-roles3:GetObjectdata-lake-prod
4.2M
lambda-processors3:PutObjectevents-raw
890K
arn::913...s3:ListBucketbilling-prod
18KNew reader
athena-querys3:GetObjectanalytics-parquet
2.1M
ci-deploy-roles3:PutObjectdata-lake-prod
12KIaC drift

Live IAM access map

  • Sankey flow: every IAM role to every bucket, prefix, and operation
  • Object-level granularity, not bucket-level averages
  • No sampling - every GET, PUT, LIST, DELETE counted

Per-role baseline and anomaly detection

  • Each role has a learned access baseline: buckets, prefixes, hours, request volume
  • Alerts when a role accesses a new prefix, scans at 10x baseline, or operates outside its window
  • First-seen timestamps for every (role, bucket, prefix) combination
etl-pipeline-role · Baseline vs Now
Buckets accessed
33
Unique prefixes
1227+125%
GET requests/day
840K9.1M+10x
Hours active
06:00-22:0000:00-23:5924h window
Avg object size
128MB4.2MBsmall files
First seen prefix
-pii-exports/NEW
Service Auto-Detection
AWS Glue
glue-etl-roledata-lake-prod
2m ago
Athena
athena-queryanalytics-parquet
5m ago
AWS Lambda
lambda-processorevents-raw
12m ago
Amazon EMR
emr-batch-roledata-lake-prod
3h ago
Amazon Firehose
firehose-roleevents-raw
18s ago
Unknown principalNEW
arn::791...billing-prod
34m ago

IaC drift and service auto-detection

  • Detects when live access diverges from Terraform or CDK definitions
  • 25+ AWS service auto-detection from path and user agent: Lambda, Glue, Athena, EMR, Firehose, Kinesis, Spark
  • New writer and new reader detection with first-seen timestamps
HOW IT WORKS
01
Connect
Read-only IAM role. 5-min setup.
02
Map
Live Sankey of every S3 request.
03
Baseline
Per-role learning over rolling 30-day window.
04
Alert
Slack/webhook on drift, anomaly, or new principal.
CASE STUDY
Featured

4 Dead ETL Pipelines Caught by S3 Write Pattern Monitoring

How a platform team discovered four Glue ETL pipelines silently reporting success while writing zero bytes, caught via S3 write pattern anomalies, not query failures.

Read Full Case Study

Know exactly who's inside your S3

5-minute setup. No agents. Object-level, not bucket-level.

Book a Demo