drop s3 server access log · parse principal + action + object · detect anomalous bulk reads
flags ListBucket storms · GetObject bulk exfil · error spikes · anonymous access · off-hours · destructive bursts
heuristic screener · client/export format varies — S3 log field order assumed · gzip decompressed locally · not definitive proof