S3 THREAT DETECTION

Find the attackers already inside your storage

DSPM tells you what's in your buckets. reCost tells you who's stealing it. Behavior-based threat detection from S3 access logs: EOL SDKs, exfiltration patterns, credential attacks, and PII exposure.

THE PROBLEM

Your DSPM scans configs. It misses behavior.

Third parties use vulnerable SDKs

boto3 1.18.x with active CVEs is making 14K requests per month to your PII bucket, and your CSPM doesn't know.

Exfiltration looks like normal traffic

3.2 GB downloaded by a known role to a new IP isn't flagged because the role had access. Behavior is invisible without a baseline.

PII sits in object paths nobody scans

Email addresses, SSNs, account numbers in object keys never reach DSPM classifiers, they're visible in S3 access logs.

"Compliance scans config. reCost watches actual behavior. That caught something we'd missed for 200 days."

HI

Head of Infrastructure Security

SaaS, $200M ARR

WHAT RECOST SHOWS YOU

Behavior-based. Not policy-based.

EOL SDK Detection
HIGHEOL SDK with Active CVE
SDK: boto3/1.9.x
CVE: CVE-2018-15869 (CVSS 7.5)
Requests: 14,082 / month
Prefix: pii-exports/
Other detected SDKs
aws-sdk-java/1.11.892
events-raw
6.1KCVE-2023-6274
aws-sdk-go/1.44.210
data-lake-prod
920Kclean
aws-sdk-js/2.1386.0
analytics-parquet
2.3Mclean

EOL SDK detection mapped to CVEs

  • Detects boto3, aws-sdk-java, aws-sdk-go, aws-sdk-js by version from user-agent string
  • Maps each detected SDK version to known CVEs and CVSS score
  • Shows which buckets and prefixes the vulnerable SDK is accessing

Exfiltration and credential attack detection

  • High-volume GetObject spikes by unfamiliar principals against their learned baseline
  • 403 storms, repeated auth failures, and brute-force key-scanning patterns
  • Browser user-agent alerts on programmatic data buckets
Active Signals
HIGH403 storm: arn::791...
4,218 denied requests in 6 min across billing-prod, pii-exports, events-raw
HIGHExfiltration pattern
3.2 GB downloaded by new principal arn::582... in 90 min, baseline: 0 bytes/day
MEDBrowser user-agent on data bucket
Mozilla/5.0 (Windows) accessing analytics-parquet, 847 GET requests
MEDRepeated auth failures
ci-deploy-role: 312 auth failures in 4 min, possible credential rotation gone wrong
PII Exposure in Object Keys
Flagged object key patterns
EMAIL99% confidence
exports/users/email=john.doe@acme.com/
bucket: data-lake-prod
SSN97% confidence
reports/ssn=***-**-1234/summary.parquet
bucket: billing-prod
CC_NUM94% confidence
invoices/acct_num=4111111111111111/
bucket: billing-prod
SSN91% confidence
events/uid=429-83-2118/raw/
bucket: events-raw
Bucket policy change correlated
billing-prod ACL modified 14h ago, access spike followed within 2h

PII exposure and bucket configuration drift

  • Detects PII patterns in object key paths: email, SSN, account numbers, without reading object contents
  • Tracks bucket policy and ACL changes correlated with access spikes
  • Flags new principals accessing PII-tagged buckets for the first time
HOW IT WORKS
01
Connect
Read-only IAM role. 5-min setup.
02
Watch
Continuous parse of S3 access logs.
03
Match
Behavior vs CVE database, exfiltration patterns, baseline deviations.
04
Alert
Slack/webhook with severity, IOC, and recommended action.
CASE STUDY
Featured

EOL SDK With Active CVE Detected via IAM Monitoring

How a security team discovered a third-party integration running boto3 1.9.x (CVE-2018-15869) making 14K monthly requests to their PII bucket, undetected for over six months.

Read Full Case Study

Start catching what your DSPM misses

5-minute setup. No agents. Behavior-based, not config-based.

Book a Demo