AWS S3 Bucket Expiration Lifecycle Configuration Added

  1[metadata]
  2creation_date = "2024/04/12"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/10/24"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the addition of an expiration lifecycle configuration to an Amazon S3 bucket. S3 lifecycle rules can
 11automatically delete or transition objects after a defined period. Adversaries can abuse them by configuring
 12auto-deletion of logs, forensic evidence, or sensitive objects to cover their tracks. This rule detects the use of the
 13PutBucketLifecycle or PutBucketLifecycleConfiguration APIs with Expiration parameters, which may indicate an attempt to
 14automate the removal of data to hinder investigation or maintain operational secrecy after malicious activity.
 15"""
 16event_category_override = "event.type"
 17false_positives = [
 18    """
 19    Legitimate administrators may add lifecycle expiration configurations to reduce storage costs or enforce retention
 20    policies. Confirm whether this change aligns with an approved data management policy or infrastructure-as-code
 21    workflow. Known lifecycle automation processes (e.g., cost-management tools, data-lifecycle governance jobs) can be
 22    safely excluded from alerting once verified.
 23    """,
 24]
 25from = "now-6m"
 26index = ["filebeat-*", "logs-aws.cloudtrail*"]
 27language = "eql"
 28license = "Elastic License v2"
 29name = "AWS S3 Bucket Expiration Lifecycle Configuration Added"
 30note = """## Triage and analysis
 31
 32### Investigating AWS S3 Bucket Expiration Lifecycle Configuration Added
 33
 34> **Disclaimer**:
 35> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 36
 37This rule detects when a lifecycle expiration policy is added to an S3 bucket via the `PutBucketLifecycle` or `PutBucketLifecycleConfiguration` API. Note: `PutBucketLifecycleConfiguration` is the newer supported API call, however both of these API calls show up as `PutBucketLifecycle` in Cloudtrail [ref](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-bucket-level-tracking).
 38Lifecycle expiration automatically deletes objects after a defined period (`Expiration:Days`), which can be leveraged by adversaries to erase logs, exfiltration evidence, or security artifacts before detection and response teams can review them.
 39
 40Because deletion is automated and often silent, detecting the initial configuration event is critical.
 41
 42#### Possible investigation steps
 43
 44**Identify the actor and execution context**
 45
 46- **Principal and Identity Type**:  
 47  Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.access_key_id`.  
 48  Determine if the actor is an IAM user, role, or automation service account.  
 49  - Unusual: temporary credentials, federated roles, or previously inactive accounts.
 50- **Source Information**:  
 51  Review `source.ip`, `cloud.region`, and `user_agent.original` for unexpected geolocations, tool usage (CLI, SDK, automation service), or newly-observed hosts.
 52- **Timestamp correlation**:  
 53  Use `@timestamp` to check if this activity occurred during change windows or off-hours.
 54
 55**Examine the lifecycle configuration details**
 56- Extract details from `aws.cloudtrail.request_parameters`:
 57  - `Expiration`: Number of days until deletion (e.g., `Days=1` indicates rapid expiry).  
 58  - `Prefix`: If limited to certain object paths (e.g., `/logs/`, `/tmp/`).  
 59  - `Status`: `Enabled` vs. `Disabled`.  
 60  - `ID` or rule name: May reveal purpose (“cleanup-test”, “delete-logs”).
 61- Determine the affected bucket from `aws.cloudtrail.resources.arn` or `aws.cloudtrail.resources.type`.  
 62  Cross-check the bucket’s purpose (e.g., log storage, data lake, analytics export, threat forensics).  
 63  - High-risk if the bucket contains audit, CloudTrail, or application logs.
 64
 65**Correlate with related AWS activity**
 66Use AWS CloudTrail search or your SIEM to pivot for:
 67- **Prior suspicious activity**:
 68  - `DeleteObject`, `PutBucketPolicy`, `PutBucketAcl`, or `PutBucketLogging` changes to disable visibility.
 69  - IAM changes such as `AttachUserPolicy` or `CreateAccessKey` that may have enabled this modification.
 70- **Subsequent changes**:
 71  - `PutBucketLifecycle` events in other buckets (repeated pattern).  
 72  - Rapid `DeleteObject` events or object expiration confirmations.
 73- **Cross-account activity**:
 74  - Lifecycle rules followed by replication or cross-account copy events may indicate lateral exfiltration setup.
 75
 76**Assess intent and risk**
 77- Verify if the actor has a valid business case for altering object retention.  
 78- If the bucket is used for security, compliance, or audit data, treat this as potential defense evasion.  
 79- Evaluate whether the lifecycle rule removes data faster than your retention policy permits.
 80
 81### False positive analysis
 82
 83- **Cost optimization**: Storage teams may automate lifecycle policies to reduce cost on infrequently accessed data.
 84- **Compliance enforcement**: Organizations implementing legal retention policies may set expiration for specific datasets.
 85- **Automation and IaC pipelines**: Terraform or CloudFormation templates often apply `PutBucketLifecycle` during resource deployment.
 86
 87### Response and remediation
 88
 89**Containment and validation**
 901. **Revert or disable** the lifecycle configuration if it is unauthorized:  
 91   - Use the AWS Console or CLI (`delete-bucket-lifecycle` or `put-bucket-lifecycle-configuration --lifecycle-configuration Disabled`).
 922. **Preserve evidence**:  
 93   - Copy existing objects (especially logs or forensic data) before they expire.  
 94   - Enable object versioning or replication to protect against loss.
 95
 96**Investigation**
 973. Review CloudTrail and S3 Access Logs for the same bucket:
 98   - Identify who and what performed previous deletions.
 99   - Determine whether any objects of investigative value have already been removed.
1004. Search for other S3 buckets where similar lifecycle configurations were added in a short timeframe.
101
102**Recovery and hardening**
1035. Implement guardrails:
104   - Use AWS Config rules like `s3-bucket-lifecycle-configuration-check` to monitor lifecycle changes.
105   - Restrict `s3:PutLifecycleConfiguration` to specific administrative roles.
106   - Enable [S3 Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html) on log or evidence buckets to enforce immutability.
1076. Enable Security Hub and GuardDuty findings for additional anomaly detection on S3 data management activity.
108
109### Additional information
110
111- **AWS Documentation**  
112  - [S3 Lifecycle Configuration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html)  
113  - [DeleteBucketLifecycle API Reference](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html)
114- **AWS Playbooks**  
115  - [Data Exposure and Exfiltration Response](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/IRP-PersonalDataBreach.md)  
116  - [AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/main)
117"""
118references = [
119    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html",
120]
121risk_score = 21
122rule_id = "ff320c56-f8fa-11ee-8c44-f661ea17fbce"
123severity = "low"
124tags = [
125    "Domain: Cloud",
126    "Data Source: AWS",
127    "Data Source: Amazon Web Services",
128    "Data Source: Amazon S3",
129    "Use Case: Asset Visibility",
130    "Tactic: Defense Evasion",
131    "Resources: Investigation Guide",
132]
133timestamp_override = "event.ingested"
134type = "eql"
135
136query = '''
137info where event.dataset == "aws.cloudtrail"
138   and event.action == "PutBucketLifecycle"
139   and event.outcome == "success"
140   and stringContains(aws.cloudtrail.request_parameters, "Expiration=")
141'''
142
143
144[[rule.threat]]
145framework = "MITRE ATT&CK"
146[[rule.threat.technique]]
147id = "T1070"
148name = "Indicator Removal"
149reference = "https://attack.mitre.org/techniques/T1070/"
150
151[[rule.threat.technique]]
152id = "T1562"
153name = "Impair Defenses"
154reference = "https://attack.mitre.org/techniques/T1562/"
155[[rule.threat.technique.subtechnique]]
156id = "T1562.008"
157name = "Disable or Modify Cloud Logs"
158reference = "https://attack.mitre.org/techniques/T1562/008/"
159
160
161
162[rule.threat.tactic]
163id = "TA0005"
164name = "Defense Evasion"
165reference = "https://attack.mitre.org/tactics/TA0005/"
166[[rule.threat]]
167framework = "MITRE ATT&CK"
168[[rule.threat.technique]]
169id = "T1485"
170name = "Data Destruction"
171reference = "https://attack.mitre.org/techniques/T1485/"
172[[rule.threat.technique.subtechnique]]
173id = "T1485.001"
174name = "Lifecycle-Triggered Deletion"
175reference = "https://attack.mitre.org/techniques/T1485/001/"
176
177
178
179[rule.threat.tactic]
180id = "TA0040"
181name = "Impact"
182reference = "https://attack.mitre.org/tactics/TA0040/"
183
184[rule.investigation_fields]
185field_names = [
186    "@timestamp",
187    "user.name",
188    "user_agent.original",
189    "source.ip",
190    "aws.cloudtrail.user_identity.arn",
191    "aws.cloudtrail.user_identity.type",
192    "aws.cloudtrail.user_identity.access_key_id",
193    "aws.cloudtrail.resources.arn",
194    "aws.cloudtrail.resources.type",
195    "event.action",
196    "event.outcome",
197    "cloud.account.id",
198    "cloud.region",
199    "aws.cloudtrail.request_parameters",
200]