Detecting S3 Data Exfiltration Attempts When to Use - When GuardDuty detects anomalous S3 access patterns such as bulk downloads from unusual IPs - When investigating suspected data breach involving S3-stored sensitive data - When building detection rules for S3 data loss prevention monitoring - When responding to Macie alerts about sensitive data being accessed or moved - When compliance requires monitoring and logging of all access to classified data stores Do not use for preventing data exfiltration (use S3 bucket policies, VPC endpoints, and SCPs), for data classification (use Amazon Maci…