AWS S3 Bucket Expiration Lifecycle Configuration Added

  1[metadata]
  2creation_date = "2024/04/12"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/16"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the addition of an expiration lifecycle configuration to an Amazon S3 bucket. S3 lifecycle rules can
 11automatically delete or transition objects after a defined period. Adversaries can abuse them by configuring
 12auto-deletion of logs, forensic evidence, or sensitive objects to cover their tracks. This rule detects the use of the
 13PutBucketLifecycle or PutBucketLifecycleConfiguration APIs with Expiration parameters, which may indicate an attempt to
 14automate the removal of data to hinder investigation or maintain operational secrecy after malicious activity.
 15"""
 16event_category_override = "event.type"
 17false_positives = [
 18    """
 19    Legitimate administrators may add lifecycle expiration configurations to reduce storage costs or enforce retention
 20    policies. Confirm whether this change aligns with an approved data management policy or infrastructure-as-code
 21    workflow. Known lifecycle automation processes (e.g., cost-management tools, data-lifecycle governance jobs) can be
 22    safely excluded from alerting once verified.
 23    """,
 24]
 25from = "now-6m"
 26index = ["filebeat-*", "logs-aws.cloudtrail*"]
 27language = "eql"
 28license = "Elastic License v2"
 29name = "AWS S3 Bucket Expiration Lifecycle Configuration Added"
 30note = """## Triage and analysis
 31
 32### Investigating AWS S3 Bucket Expiration Lifecycle Configuration Added
 33
 34This rule detects when a lifecycle expiration policy is added to an S3 bucket via the `PutBucketLifecycle` or `PutBucketLifecycleConfiguration` API. Note: `PutBucketLifecycleConfiguration` is the newer supported API call, however both of these API calls show up as `PutBucketLifecycle` in Cloudtrail [ref](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-bucket-level-tracking).
 35Lifecycle expiration automatically deletes objects after a defined period (`Expiration:Days`), which can be leveraged by adversaries to erase logs, exfiltration evidence, or security artifacts before detection and response teams can review them.
 36
 37Because deletion is automated and often silent, detecting the initial configuration event is critical.
 38
 39#### Possible investigation steps
 40
 41**Identify the actor and execution context**
 42
 43- **Principal and Identity Type**:  
 44  Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.access_key_id`.  
 45  Determine if the actor is an IAM user, role, or automation service account.  
 46  - Unusual: temporary credentials, federated roles, or previously inactive accounts.
 47- **Source Information**:  
 48  Review `source.ip`, `cloud.region`, and `user_agent.original` for unexpected geolocations, tool usage (CLI, SDK, automation service), or newly-observed hosts.
 49- **Timestamp correlation**:  
 50  Use `@timestamp` to check if this activity occurred during change windows or off-hours.
 51
 52**Examine the lifecycle configuration details**
 53- Extract details from `aws.cloudtrail.request_parameters`:
 54  - `Expiration`: Number of days until deletion (e.g., `Days=1` indicates rapid expiry).  
 55  - `Prefix`: If limited to certain object paths (e.g., `/logs/`, `/tmp/`).  
 56  - `Status`: `Enabled` vs. `Disabled`.  
 57  - `ID` or rule name: May reveal purpose (“cleanup-test”, “delete-logs”).
 58- Determine the affected bucket from `aws.cloudtrail.resources.arn` or `aws.cloudtrail.resources.type`.  
 59  Cross-check the bucket’s purpose (e.g., log storage, data lake, analytics export, threat forensics).  
 60  - High-risk if the bucket contains audit, CloudTrail, or application logs.
 61
 62**Correlate with related AWS activity**
 63Use AWS CloudTrail search or your SIEM to pivot for:
 64- **Prior suspicious activity**:
 65  - `DeleteObject`, `PutBucketPolicy`, `PutBucketAcl`, or `PutBucketLogging` changes to disable visibility.
 66  - IAM changes such as `AttachUserPolicy` or `CreateAccessKey` that may have enabled this modification.
 67- **Subsequent changes**:
 68  - `PutBucketLifecycle` events in other buckets (repeated pattern).  
 69  - Rapid `DeleteObject` events or object expiration confirmations.
 70- **Cross-account activity**:
 71  - Lifecycle rules followed by replication or cross-account copy events may indicate lateral exfiltration setup.
 72
 73**Assess intent and risk**
 74- Verify if the actor has a valid business case for altering object retention.  
 75- If the bucket is used for security, compliance, or audit data, treat this as potential defense evasion.  
 76- Evaluate whether the lifecycle rule removes data faster than your retention policy permits.
 77
 78### False positive analysis
 79
 80- **Cost optimization**: Storage teams may automate lifecycle policies to reduce cost on infrequently accessed data.
 81- **Compliance enforcement**: Organizations implementing legal retention policies may set expiration for specific datasets.
 82- **Automation and IaC pipelines**: Terraform or CloudFormation templates often apply `PutBucketLifecycle` during resource deployment.
 83
 84### Response and remediation
 85
 86**Containment and validation**
 87**Revert or disable** the lifecycle configuration if it is unauthorized:  
 88   - Use the AWS Console or CLI (`delete-bucket-lifecycle` or `put-bucket-lifecycle-configuration --lifecycle-configuration Disabled`).
 89**Preserve evidence**:  
 90   - Copy existing objects (especially logs or forensic data) before they expire.  
 91   - Enable object versioning or replication to protect against loss.
 92
 93**Investigation**
 94Review CloudTrail and S3 Access Logs for the same bucket:
 95   - Identify who and what performed previous deletions.
 96   - Determine whether any objects of investigative value have already been removed.
 97Search for other S3 buckets where similar lifecycle configurations were added in a short timeframe.
 98
 99**Recovery and hardening**
100Implement guardrails:
101   - Use AWS Config rules like `s3-bucket-lifecycle-configuration-check` to monitor lifecycle changes.
102   - Restrict `s3:PutLifecycleConfiguration` to specific administrative roles.
103   - Enable [S3 Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html) on log or evidence buckets to enforce immutability.
104Enable Security Hub and GuardDuty findings for additional anomaly detection on S3 data management activity.
105
106### Additional information
107
108- **AWS Documentation**  
109  - [S3 Lifecycle Configuration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html)  
110  - [DeleteBucketLifecycle API Reference](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html)
111- **AWS Playbooks**  
112  - [Data Exposure and Exfiltration Response](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/IRP-PersonalDataBreach.md)  
113  - [AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/main)
114"""
115references = [
116    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html",
117]
118risk_score = 21
119rule_id = "ff320c56-f8fa-11ee-8c44-f661ea17fbce"
120severity = "low"
121tags = [
122    "Domain: Cloud",
123    "Data Source: AWS",
124    "Data Source: Amazon Web Services",
125    "Data Source: Amazon S3",
126    "Use Case: Asset Visibility",
127    "Tactic: Defense Evasion",
128    "Resources: Investigation Guide",
129]
130timestamp_override = "event.ingested"
131type = "eql"
132
133query = '''
134info where event.dataset == "aws.cloudtrail"
135   and event.action == "PutBucketLifecycle"
136   and event.outcome == "success"
137   and stringContains(aws.cloudtrail.request_parameters, "Expiration=")
138'''
139
140
141[[rule.threat]]
142framework = "MITRE ATT&CK"
143[[rule.threat.technique]]
144id = "T1070"
145name = "Indicator Removal"
146reference = "https://attack.mitre.org/techniques/T1070/"
147
148[[rule.threat.technique]]
149id = "T1562"
150name = "Impair Defenses"
151reference = "https://attack.mitre.org/techniques/T1562/"
152[[rule.threat.technique.subtechnique]]
153id = "T1562.008"
154name = "Disable or Modify Cloud Logs"
155reference = "https://attack.mitre.org/techniques/T1562/008/"
156
157
158
159[rule.threat.tactic]
160id = "TA0005"
161name = "Defense Evasion"
162reference = "https://attack.mitre.org/tactics/TA0005/"
163[[rule.threat]]
164framework = "MITRE ATT&CK"
165[[rule.threat.technique]]
166id = "T1485"
167name = "Data Destruction"
168reference = "https://attack.mitre.org/techniques/T1485/"
169[[rule.threat.technique.subtechnique]]
170id = "T1485.001"
171name = "Lifecycle-Triggered Deletion"
172reference = "https://attack.mitre.org/techniques/T1485/001/"
173
174
175
176[rule.threat.tactic]
177id = "TA0040"
178name = "Impact"
179reference = "https://attack.mitre.org/tactics/TA0040/"
180
181[rule.investigation_fields]
182field_names = [
183    "@timestamp",
184    "user.name",
185    "user_agent.original",
186    "source.ip",
187    "aws.cloudtrail.user_identity.arn",
188    "aws.cloudtrail.user_identity.type",
189    "aws.cloudtrail.user_identity.access_key_id",
190    "aws.cloudtrail.resources.arn",
191    "aws.cloudtrail.resources.type",
192    "event.action",
193    "event.outcome",
194    "cloud.account.id",
195    "cloud.region",
196    "aws.cloudtrail.request_parameters",
197]