AWS S3 Bucket Configuration Deletion

  1[metadata]
  2creation_date = "2020/05/27"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components."
 10false_positives = [
 11    """
 12    Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent,
 13    and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar users or
 14    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
 15    """,
 16]
 17from = "now-60m"
 18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 19interval = "10m"
 20language = "kuery"
 21license = "Elastic License v2"
 22name = "AWS S3 Bucket Configuration Deletion"
 23note = """## Triage and analysis
 24
 25> **Disclaimer**:
 26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 27
 28### Investigating AWS S3 Bucket Configuration Deletion
 29
 30Amazon S3 is a scalable storage service where configurations like policies, replication, and encryption ensure data security and compliance. Adversaries may delete these configurations to evade defenses, disrupt data protection, or conceal malicious activities. The detection rule monitors successful deletions of these configurations, signaling potential defense evasion attempts by correlating specific CloudTrail events.
 31
 32### Possible investigation steps
 33
 34- Review the CloudTrail logs for the specific event.provider:s3.amazonaws.com and event.action values to identify the user or role responsible for the deletion actions.
 35- Examine the event.outcome:success field to confirm that the deletion actions were completed successfully and not attempted or failed.
 36- Investigate the IAM policies and permissions associated with the user or role identified to determine if they have legitimate access to perform such deletions.
 37- Check for any recent changes in IAM roles or policies that might have inadvertently granted excessive permissions.
 38- Correlate the timing of the deletion events with other suspicious activities or alerts in the AWS environment to identify potential patterns or coordinated actions.
 39- Assess the impact of the deleted configurations on data security and compliance, and determine if any critical data protection mechanisms were affected.
 40
 41### False positive analysis
 42
 43- Routine administrative actions by authorized personnel may trigger alerts when they update or remove bucket configurations as part of regular maintenance. To manage this, create exceptions for specific user roles or IAM users known to perform these tasks regularly.
 44- Automated scripts or tools used for infrastructure management might delete and recreate bucket configurations as part of their operation. Identify these scripts and exclude their associated actions from triggering alerts by using specific identifiers or tags.
 45- Scheduled policy updates or compliance checks that involve temporary removal of configurations can also result in false positives. Implement time-based exceptions for these known activities to prevent unnecessary alerts.
 46- Development and testing environments often undergo frequent configuration changes, which can mimic suspicious behavior. Exclude these environments from the rule by using environment-specific tags or identifiers.
 47
 48### Response and remediation
 49
 50- Immediately revoke any unauthorized access to the affected S3 bucket by reviewing and updating the bucket's access policies and permissions.
 51- Restore the deleted configurations by applying the latest known good configuration settings for policies, replication, encryption, and other affected components.
 52- Conduct a thorough audit of recent IAM activity to identify any unauthorized or suspicious actions related to the S3 bucket configurations.
 53- Escalate the incident to the security operations team for further investigation and to determine if additional AWS resources or accounts have been compromised.
 54- Implement additional monitoring and alerting for any future unauthorized configuration changes to S3 buckets, focusing on the specific actions identified in the detection rule.
 55- Review and enhance IAM policies to enforce the principle of least privilege, ensuring only authorized users have the necessary permissions to modify S3 bucket configurations.
 56- Coordinate with the incident response team to assess the impact of the configuration deletions on data security and compliance, and take necessary steps to mitigate any identified risks.
 57
 58## Setup
 59
 60The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 61references = [
 62    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html",
 63    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html",
 64    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html",
 65    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html",
 66    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html",
 67]
 68risk_score = 21
 69rule_id = "227dc608-e558-43d9-b521-150772250bae"
 70severity = "low"
 71tags = [
 72    "Domain: Cloud",
 73    "Data Source: AWS",
 74    "Data Source: Amazon Web Services",
 75    "Use Case: Asset Visibility",
 76    "Tactic: Defense Evasion",
 77    "Resources: Investigation Guide",
 78]
 79timestamp_override = "event.ingested"
 80type = "query"
 81
 82query = '''
 83event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and
 84  event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or
 85                DeleteBucketEncryption or DeleteBucketLifecycle)
 86  and event.outcome:success
 87'''
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1070"
 94name = "Indicator Removal"
 95reference = "https://attack.mitre.org/techniques/T1070/"
 96
 97
 98[rule.threat.tactic]
 99id = "TA0005"
100name = "Defense Evasion"
101reference = "https://attack.mitre.org/tactics/TA0005/"