AWS S3 Bucket Configuration Deletion

  1[metadata]
  2creation_date = "2020/05/27"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/10/29"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the deletion of critical Amazon S3 bucket configurations such as bucket policies, lifecycle configurations
 11or encryption settings. These actions are typically administrative but may also represent
 12adversarial attempts to remove security controls, disable data retention mechanisms, or conceal evidence of malicious
 13activity. Adversaries who gain access to AWS credentials may delete logging, lifecycle, or policy configurations to
 14disrupt forensic visibility and inhibit recovery. For example, deleting a bucket policy can open a bucket to public
 15access or remove protective access restrictions, while deleting lifecycle rules can prevent object archival or automatic
 16backups. Such actions often precede data exfiltration or destructive operations and should be reviewed in context with
 17related S3 or IAM events.
 18"""
 19false_positives = [
 20    """
 21    Bucket configurations may be deleted by a system or network administrator. Verify whether the user identity, user agent,
 22    and/or hostname should be making changes in your environment. Bucket configuration deletions by unfamiliar users or
 23    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
 24    """,
 25]
 26from = "now-6m"
 27index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 28language = "kuery"
 29license = "Elastic License v2"
 30name = "AWS S3 Bucket Configuration Deletion"
 31note = """## Triage and analysis
 32
 33> **Disclaimer**:
 34> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 35
 36### Investigating AWS S3 Bucket Configuration Deletion
 37
 38Amazon S3 is a scalable storage service where configurations like policies, replication, and encryption ensure data security and compliance. The detection rule monitors successful deletions of these configurations via the following APIs: `DeleteBucketPolicy`, `DeleteBucketReplication`, `DeleteBucketCors`, `DeleteBucketEncryption` or `DeleteBucketLifecycle`. These operations can be used by an adversary to remove visibility, erase governance or compliance controls, or prepare a bucket for destructive or exfiltration activity.  
 39Deleting or disabling important configurations may hamper audit trails, hide malicious changes, or reduce the ability for recovery. The detection of these deletes is therefore a potential indicator of defense evasion or impact techniques.
 40
 41#### Possible investigation steps
 42
 43- **Identify the Actor and Context**  
 44  - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.access_key_id` and `aws.cloudtrail.user_identity.type` to identify who performed the deletion.  
 45  - Determine whether the actor typically manages bucket configurations, or if this is an unusual identity for this kind of operation.  
 46  - Check `source.ip`, `user_agent.original`, `cloud.region` for anomalous behaviour (unfamiliar IPs, new tooling or region, off-hours actions).
 47
 48- **Determine the Affected Bucket and Configuration Type**  
 49  - Examine `aws.cloudtrail.request_parameters` (and `aws.cloudtrail.resources.arn`) to identify the bucket and the sub-resource that was removed. 
 50  - Determine whether the bucket is used for critical data (audit logs, backups, data warehouse). If so, the deletion is higher risk.
 51
 52- **Correlate with Other Activity to Establish Chain of Events**  
 53  - Search for preceding or concurrent CloudTrail events by the same actor or on the same bucket, e.g.:  
 54    - Removal of logging or access controls (`PutBucketLogging`, `PutBucketAcl`, `PutBucketPolicy`).  
 55    - Object-level actions soon after configuration removal (`DeleteObject`, `DeleteObjects`, `PutObject`, cross-account copy) that suggest data removal or exfiltration.  
 56  - Review for configuration additions or changes immediately prior (e.g., versioning disabled, replication removed) — could form part of a larger attack sequence.  
 57
 58- **Evaluate Intent and Risk**  
 59  - Confirm whether the change is aligned with an approved change control process (maintenance, re-architecting, cost-optimization).  
 60  - If no documented justification, or if it affects buckets with sensitive or compliance-related data, treat it as potential malicious behavior.  
 61  - Prioritize buckets where configuration deletion significantly reduces visibility or recovery capability.
 62
 63### False positive analysis
 64
 65- **Scheduled Maintenance or Re-architecture**:  
 66  - Valid operations may include migrating buckets, retiring services, or reorganizing storage; verify through change logs.  
 67- **Automation/DevOps Activity**:  
 68  - Infrastructure-as-Code pipelines or lifecycle clean-up tasks may remove configurations; validate known automation scopes and service-principals.  
 69- **Test/Development Buckets**:  
 70  - Non-production environments may frequently change bucket configurations; document and consider whitelisting accordingly.
 71
 72### Response and remediation
 73
 74**1. Containment & Immediate Actions**  
 75- Temporarily restrict the IAM user or role that performed the deletion, especially for `DeleteBucketPolicy`, `DeleteBucketEncryption`, or `DeleteBucketLifecycle`. 
 76- Restore missing configurations as soon as possible (e.g., re-apply bucket policy, lifecycle rules, inventory configuration) to prevent further blind spots.
 77
 78**2. Investigation & Scope Assessment**  
 79- Using CloudTrail and S3 Data Events, check object‐level activity from the timeframe immediately before and after the configuration deletion. Look for bulk deletes, new uploads, or copies to external accounts.  
 80- Check whether other buckets in the account suffered similar configuration changes – potentially part of a wider campaign.
 81
 82**3. Recovery & Hardening**  
 83- Recover affected bucket configurations and ensure they match your organizational baseline and compliance standards (e.g., logging enabled, inventory configured, lifecycle rules active).  
 84- Enable AWS Config rules such as `s3-bucket-policy-check`, `s3-bucket-lifecycle-configuration-check`, `s3-bucket-logging-enabled` to monitor for unauthorized changes.  
 85- Apply least‐privilege for configuration deletion permissions; segregate duties so bucket config deletion can only be done via controlled workflows and require multi-step approval.
 86
 87**4. Lessons Learned & Prevention**  
 88- Conduct a post-incident review to determine root cause (credential compromise, misconfigured automation, malicious insider) and strengthen monitoring, alerting and access controls accordingly.
 89
 90"""
 91references = [
 92    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html",
 93    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html",
 94    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html",
 95    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html",
 96    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html",
 97]
 98risk_score = 21
 99rule_id = "227dc608-e558-43d9-b521-150772250bae"
100severity = "low"
101tags = [
102    "Domain: Cloud",
103    "Data Source: AWS",
104    "Data Source: Amazon Web Services",
105    "Data Source: Amazon S3",
106    "Use Case: Asset Visibility",
107    "Tactic: Defense Evasion",
108    "Tactic: Impact",
109    "Resources: Investigation Guide",
110]
111timestamp_override = "event.ingested"
112type = "query"
113
114query = '''
115event.dataset:aws.cloudtrail and 
116    event.provider:s3.amazonaws.com and
117    event.action:(DeleteBucketPolicy or 
118                    DeleteBucketReplication or 
119                    DeleteBucketCors or 
120                    DeleteBucketEncryption or 
121                    DeleteBucketLifecycle) and 
122    event.outcome:success
123'''
124
125
126[[rule.threat]]
127framework = "MITRE ATT&CK"
128[[rule.threat.technique]]
129id = "T1070"
130name = "Indicator Removal"
131reference = "https://attack.mitre.org/techniques/T1070/"
132
133[[rule.threat.technique]]
134id = "T1562"
135name = "Impair Defenses"
136reference = "https://attack.mitre.org/techniques/T1562/"
137[[rule.threat.technique.subtechnique]]
138id = "T1562.008"
139name = "Disable or Modify Cloud Logs"
140reference = "https://attack.mitre.org/techniques/T1562/008/"
141
142
143
144[rule.threat.tactic]
145id = "TA0005"
146name = "Defense Evasion"
147reference = "https://attack.mitre.org/tactics/TA0005/"
148[[rule.threat]]
149framework = "MITRE ATT&CK"
150[[rule.threat.technique]]
151id = "T1490"
152name = "Inhibit System Recovery"
153reference = "https://attack.mitre.org/techniques/T1490/"
154
155
156[rule.threat.tactic]
157id = "TA0040"
158name = "Impact"
159reference = "https://attack.mitre.org/tactics/TA0040/"
160
161[rule.investigation_fields]
162field_names = [
163    "@timestamp",
164    "user.name",
165    "user_agent.original",
166    "source.ip",
167    "aws.cloudtrail.user_identity.arn",
168    "aws.cloudtrail.user_identity.type",
169    "aws.cloudtrail.user_identity.access_key_id",
170    "aws.cloudtrail.resources.arn",
171    "aws.cloudtrail.resources.type",
172    "event.action",
173    "event.outcome",
174    "cloud.account.id",
175    "cloud.region",
176    "aws.cloudtrail.request_parameters",
177    "aws.cloudtrail.response_elements",
178]