AWS S3 Bucket Expiration Lifecycle Configuration Added
Identifies an expiration lifecycle configuration added to an S3 bucket. Lifecycle configurations can be used to manage objects in a bucket, including setting expiration policies. This rule detects when a lifecycle configuration is added to an S3 bucket, which could indicate that objects in the bucket will be automatically deleted after a specified period of time. This could be used to evade detection by deleting objects that contain evidence of malicious activity.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/04/12"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2024/07/23"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies an expiration lifecycle configuration added to an S3 bucket. Lifecycle configurations can be used to manage
11objects in a bucket, including setting expiration policies. This rule detects when a lifecycle configuration is added to
12an S3 bucket, which could indicate that objects in the bucket will be automatically deleted after a specified period of
13time. This could be used to evade detection by deleting objects that contain evidence of malicious activity.
14"""
15false_positives = [
16 """
17 Bucket components may be deleted or adjusted by a system or network administrator. Verify whether the user identity,
18 user agent, and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar
19 users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the
20 rule.
21 """,
22]
23from = "now-60m"
24index = ["filebeat-*", "logs-aws.cloudtrail*"]
25interval = "10m"
26language = "kuery"
27license = "Elastic License v2"
28name = "AWS S3 Bucket Expiration Lifecycle Configuration Added"
29note = """
30## Triage and Analysis
31
32### Investigating AWS S3 Bucket Expiration Lifecycle Configuration Added
33
34This rule detects when an expiration lifecycle configuration is added to an S3 bucket in AWS. Such configurations can automate the deletion of objects within a bucket after a specified period, potentially obfuscating evidence of unauthorized access or malicious activity by automatically removing logs or other data.
35
36#### Detailed Investigation Steps
37
38- **Review the Affected S3 Bucket**: Check the bucket details (`bucketName`) where the lifecycle configuration has been added.
39 - Determine the contents and importance of the data stored in this bucket to assess the impact of the lifecycle policy.
40- **Analyze the Lifecycle Configuration**:
41 - **Expiration Policy**: Note the `Days` parameter under `Expiration` in the lifecycle rule. This indicates how long after creation data will remain in the bucket before being automatically deleted.
42 - **Rule ID and Status**: Review the `ID` and `Status` of the lifecycle rule to understand its operational scope and activation status.
43- **User Identity and Activity**:
44 - **User Details**: Investigate the user (`user_identity.arn`) who made the change. Determine whether this user's role typically involves managing S3 bucket configurations.
45 - **Authentication Details**: Examine the authentication method and whether the access key used (`access_key_id`) is routinely used for such configurations or if it has deviated from normal usage patterns.
46- **Source IP and User Agent**:
47 - **Source IP Address**: The IP address (`source.ip`) from which the request was made can provide clues about the geographical location of the requester. Determine if this location aligns with the user’s known locations.
48 - **User Agent**: Analyze the user agent string to understand the type of client or service that made the request, which can help identify scripted automation versus manual changes.
49
50#### Possible Indicators of Compromise or Misuse
51
52- **Frequent Changes**: Look for frequent modifications to lifecycle policies in the same or multiple buckets, which can indicate attempts to manipulate data retention dynamically.
53- **Unusual User Activity**: Activities that do not correlate with the user's typical behavior patterns, such as making changes during odd hours or from unusual locations, should be flagged for further investigation.
54
55### False Positive Analysis
56
57- Verify the operational requirements that might necessitate such lifecycle policies, especially in environments where data retention policies are strictly governed for compliance and cost-saving reasons.
58
59### Response and Remediation
60
61- **Immediate Review**: If the change was unauthorized, consider reverting the lifecycle configuration change immediately to prevent potential data loss.
62- **Enhance Monitoring**: Implement monitoring to alert on changes to lifecycle configurations across your S3 environments.
63- **User Education**: Ensure that users with access to critical resources like S3 buckets are aware of the best practices and company policies regarding data retention and security.
64
65### Additional Information
66
67For further guidance on managing S3 lifecycle policies and ensuring compliance with organizational data retention and security policies, refer to the AWS official documentation on [S3 Lifecycle Configuration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html).
68"""
69references = [
70 "https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html",
71]
72risk_score = 21
73rule_id = "ff320c56-f8fa-11ee-8c44-f661ea17fbce"
74setup = "This rule requires S3 data events to be logged to CloudTrail. CloudTrail trails can be configured to log S3 data events in the AWS Management Console or using the AWS CLI."
75severity = "low"
76tags = [
77 "Domain: Cloud",
78 "Data Source: AWS",
79 "Data Source: Amazon Web Services",
80 "Data Source: Amazon S3",
81 "Use Case: Asset Visibility",
82 "Tactic: Defense Evasion",
83]
84timestamp_override = "event.ingested"
85type = "query"
86
87query = '''
88event.dataset: "aws.cloudtrail" and event.provider: "s3.amazonaws.com" and
89 event.action: PutBucketLifecycle and event.outcome: success and
90 aws.cloudtrail.request_parameters: (*LifecycleConfiguration* and *Expiration=*)
91'''
92
93
94[[rule.threat]]
95framework = "MITRE ATT&CK"
96[[rule.threat.technique]]
97id = "T1070"
98name = "Indicator Removal"
99reference = "https://attack.mitre.org/techniques/T1070/"
100
101
102[rule.threat.tactic]
103id = "TA0005"
104name = "Defense Evasion"
105reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and Analysis
Investigating AWS S3 Bucket Expiration Lifecycle Configuration Added
This rule detects when an expiration lifecycle configuration is added to an S3 bucket in AWS. Such configurations can automate the deletion of objects within a bucket after a specified period, potentially obfuscating evidence of unauthorized access or malicious activity by automatically removing logs or other data.
Detailed Investigation Steps
- Review the Affected S3 Bucket: Check the bucket details (
bucketName) where the lifecycle configuration has been added.- Determine the contents and importance of the data stored in this bucket to assess the impact of the lifecycle policy.
- Analyze the Lifecycle Configuration:
- Expiration Policy: Note the
Daysparameter underExpirationin the lifecycle rule. This indicates how long after creation data will remain in the bucket before being automatically deleted. - Rule ID and Status: Review the
IDandStatusof the lifecycle rule to understand its operational scope and activation status.
- Expiration Policy: Note the
- User Identity and Activity:
- User Details: Investigate the user (
user_identity.arn) who made the change. Determine whether this user's role typically involves managing S3 bucket configurations. - Authentication Details: Examine the authentication method and whether the access key used (
access_key_id) is routinely used for such configurations or if it has deviated from normal usage patterns.
- User Details: Investigate the user (
- Source IP and User Agent:
- Source IP Address: The IP address (
source.ip) from which the request was made can provide clues about the geographical location of the requester. Determine if this location aligns with the user’s known locations. - User Agent: Analyze the user agent string to understand the type of client or service that made the request, which can help identify scripted automation versus manual changes.
- Source IP Address: The IP address (
Possible Indicators of Compromise or Misuse
- Frequent Changes: Look for frequent modifications to lifecycle policies in the same or multiple buckets, which can indicate attempts to manipulate data retention dynamically.
- Unusual User Activity: Activities that do not correlate with the user's typical behavior patterns, such as making changes during odd hours or from unusual locations, should be flagged for further investigation.
False Positive Analysis
- Verify the operational requirements that might necessitate such lifecycle policies, especially in environments where data retention policies are strictly governed for compliance and cost-saving reasons.
Response and Remediation
- Immediate Review: If the change was unauthorized, consider reverting the lifecycle configuration change immediately to prevent potential data loss.
- Enhance Monitoring: Implement monitoring to alert on changes to lifecycle configurations across your S3 environments.
- User Education: Ensure that users with access to critical resources like S3 buckets are aware of the best practices and company policies regarding data retention and security.
Additional Information
For further guidance on managing S3 lifecycle policies and ensuring compliance with organizational data retention and security policies, refer to the AWS official documentation on S3 Lifecycle Configuration.
References
Related rules
- AWS S3 Bucket Server Access Logging Disabled
- AWS RDS DB Instance Restored
- AWS S3 Bucket Configuration Deletion
- Insecure AWS EC2 VPC Security Group Ingress Rule Added
- AWS RDS DB Instance Made Public