AWS S3 Bucket Expiration Lifecycle Configuration Added

Identifies an expiration lifecycle configuration added to an S3 bucket. Lifecycle configurations can be used to manage objects in a bucket, including setting expiration policies. This rule detects when a lifecycle configuration is added to an S3 bucket, which could indicate that objects in the bucket will be automatically deleted after a specified period of time. This could be used to evade detection by deleting objects that contain evidence of malicious activity.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/04/12"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2024/07/23"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies an expiration lifecycle configuration added to an S3 bucket. Lifecycle configurations can be used to manage
 11objects in a bucket, including setting expiration policies. This rule detects when a lifecycle configuration is added to
 12an S3 bucket, which could indicate that objects in the bucket will be automatically deleted after a specified period of
 13time. This could be used to evade detection by deleting objects that contain evidence of malicious activity.
 14"""
 15false_positives = [
 16    """
 17    Bucket components may be deleted or adjusted by a system or network administrator. Verify whether the user identity,
 18    user agent, and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar
 19    users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the
 20    rule.
 21    """,
 22]
 23from = "now-60m"
 24index = ["filebeat-*", "logs-aws.cloudtrail*"]
 25interval = "10m"
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS S3 Bucket Expiration Lifecycle Configuration Added"
 29note = """
 30## Triage and Analysis
 31
 32### Investigating AWS S3 Bucket Expiration Lifecycle Configuration Added
 33
 34This rule detects when an expiration lifecycle configuration is added to an S3 bucket in AWS. Such configurations can automate the deletion of objects within a bucket after a specified period, potentially obfuscating evidence of unauthorized access or malicious activity by automatically removing logs or other data.
 35
 36#### Detailed Investigation Steps
 37
 38- **Review the Affected S3 Bucket**: Check the bucket details (`bucketName`) where the lifecycle configuration has been added.
 39    - Determine the contents and importance of the data stored in this bucket to assess the impact of the lifecycle policy.
 40- **Analyze the Lifecycle Configuration**:
 41  - **Expiration Policy**: Note the `Days` parameter under `Expiration` in the lifecycle rule. This indicates how long after creation data will remain in the bucket before being automatically deleted.
 42  - **Rule ID and Status**: Review the `ID` and `Status` of the lifecycle rule to understand its operational scope and activation status.
 43- **User Identity and Activity**:
 44  - **User Details**: Investigate the user (`user_identity.arn`) who made the change. Determine whether this user's role typically involves managing S3 bucket configurations.
 45  - **Authentication Details**: Examine the authentication method and whether the access key used (`access_key_id`) is routinely used for such configurations or if it has deviated from normal usage patterns.
 46- **Source IP and User Agent**:
 47  - **Source IP Address**: The IP address (`source.ip`) from which the request was made can provide clues about the geographical location of the requester. Determine if this location aligns with the user’s known locations.
 48  - **User Agent**: Analyze the user agent string to understand the type of client or service that made the request, which can help identify scripted automation versus manual changes.
 49
 50#### Possible Indicators of Compromise or Misuse
 51
 52- **Frequent Changes**: Look for frequent modifications to lifecycle policies in the same or multiple buckets, which can indicate attempts to manipulate data retention dynamically.
 53- **Unusual User Activity**: Activities that do not correlate with the user's typical behavior patterns, such as making changes during odd hours or from unusual locations, should be flagged for further investigation.
 54
 55### False Positive Analysis
 56
 57- Verify the operational requirements that might necessitate such lifecycle policies, especially in environments where data retention policies are strictly governed for compliance and cost-saving reasons.
 58
 59### Response and Remediation
 60
 61- **Immediate Review**: If the change was unauthorized, consider reverting the lifecycle configuration change immediately to prevent potential data loss.
 62- **Enhance Monitoring**: Implement monitoring to alert on changes to lifecycle configurations across your S3 environments.
 63- **User Education**: Ensure that users with access to critical resources like S3 buckets are aware of the best practices and company policies regarding data retention and security.
 64
 65### Additional Information
 66
 67For further guidance on managing S3 lifecycle policies and ensuring compliance with organizational data retention and security policies, refer to the AWS official documentation on [S3 Lifecycle Configuration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html).
 68"""
 69references = [
 70    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html",
 71]
 72risk_score = 21
 73rule_id = "ff320c56-f8fa-11ee-8c44-f661ea17fbce"
 74setup = "This rule requires S3 data events to be logged to CloudTrail. CloudTrail trails can be configured to log S3 data events in the AWS Management Console or using the AWS CLI."
 75severity = "low"
 76tags = [
 77    "Domain: Cloud",
 78    "Data Source: AWS",
 79    "Data Source: Amazon Web Services",
 80    "Data Source: Amazon S3",
 81    "Use Case: Asset Visibility",
 82    "Tactic: Defense Evasion",
 83]
 84timestamp_override = "event.ingested"
 85type = "query"
 86
 87query = '''
 88event.dataset: "aws.cloudtrail" and event.provider: "s3.amazonaws.com" and
 89    event.action: PutBucketLifecycle and event.outcome: success and
 90    aws.cloudtrail.request_parameters: (*LifecycleConfiguration* and *Expiration=*)
 91'''
 92
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1070"
 98name = "Indicator Removal"
 99reference = "https://attack.mitre.org/techniques/T1070/"
100
101
102[rule.threat.tactic]
103id = "TA0005"
104name = "Defense Evasion"
105reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and Analysis

Investigating AWS S3 Bucket Expiration Lifecycle Configuration Added

This rule detects when an expiration lifecycle configuration is added to an S3 bucket in AWS. Such configurations can automate the deletion of objects within a bucket after a specified period, potentially obfuscating evidence of unauthorized access or malicious activity by automatically removing logs or other data.

Detailed Investigation Steps

  • Review the Affected S3 Bucket: Check the bucket details (bucketName) where the lifecycle configuration has been added.
    • Determine the contents and importance of the data stored in this bucket to assess the impact of the lifecycle policy.
  • Analyze the Lifecycle Configuration:
    • Expiration Policy: Note the Days parameter under Expiration in the lifecycle rule. This indicates how long after creation data will remain in the bucket before being automatically deleted.
    • Rule ID and Status: Review the ID and Status of the lifecycle rule to understand its operational scope and activation status.
  • User Identity and Activity:
    • User Details: Investigate the user (user_identity.arn) who made the change. Determine whether this user's role typically involves managing S3 bucket configurations.
    • Authentication Details: Examine the authentication method and whether the access key used (access_key_id) is routinely used for such configurations or if it has deviated from normal usage patterns.
  • Source IP and User Agent:
    • Source IP Address: The IP address (source.ip) from which the request was made can provide clues about the geographical location of the requester. Determine if this location aligns with the user’s known locations.
    • User Agent: Analyze the user agent string to understand the type of client or service that made the request, which can help identify scripted automation versus manual changes.

Possible Indicators of Compromise or Misuse

  • Frequent Changes: Look for frequent modifications to lifecycle policies in the same or multiple buckets, which can indicate attempts to manipulate data retention dynamically.
  • Unusual User Activity: Activities that do not correlate with the user's typical behavior patterns, such as making changes during odd hours or from unusual locations, should be flagged for further investigation.

False Positive Analysis

  • Verify the operational requirements that might necessitate such lifecycle policies, especially in environments where data retention policies are strictly governed for compliance and cost-saving reasons.

Response and Remediation

  • Immediate Review: If the change was unauthorized, consider reverting the lifecycle configuration change immediately to prevent potential data loss.
  • Enhance Monitoring: Implement monitoring to alert on changes to lifecycle configurations across your S3 environments.
  • User Education: Ensure that users with access to critical resources like S3 buckets are aware of the best practices and company policies regarding data retention and security.

Additional Information

For further guidance on managing S3 lifecycle policies and ensuring compliance with organizational data retention and security policies, refer to the AWS official documentation on S3 Lifecycle Configuration.

References

Related rules

to-top