
Summary
This rule identifies when a lifecycle configuration that includes expiration policies is added to an Amazon S3 bucket. Lifecycle configurations can facilitate the automatic deletion of objects after a defined timeframe, which is a potential tactic used by malicious actors to destroy evidence of unauthorized access or data manipulation. The rule uses logs generated by AWS CloudTrail, specifically looking for successful 'PutBucketLifecycle' events in conjunction with parameters indicating an expiration setup. It aims to alert on potential misuse by tracking changes in S3 bucket lifecycle policies, thereby ensuring that any unauthorized changes can be investigated and mitigated promptly. Investigating these changes includes verifying the user responsible, analyzing the lifecycle policy for unusual terms, and checking the source IP for anomalies. The presence of such configurations without proper justification could signal an attempt to enable data deletion that conceals compromise or activity contrary to organizational policies.
Categories
- Cloud
Data Sources
- Cloud Storage
- User Account
- Network Traffic
ATT&CK Techniques
- T1070
Created: 2024-04-12