AWS S3 Bucket Server Access Logging Disabled

  1[metadata]
  2creation_date = "2024/07/12"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/10/27"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when server access logging is disabled for an Amazon S3 bucket. Server access logs provide a detailed record
 11of requests made to an S3 bucket. When server access logging is disabled for a bucket, it could indicate an adversary's
 12attempt to impair defenses by disabling logs that contain evidence of malicious activity.
 13"""
 14event_category_override = "event.type"
 15false_positives = [
 16    """
 17    Bucket logging may be disabled by a system or network administrator. Verify whether the user identity and/or user
 18    agent should be making changes in your environment. Bucket component deletions by unfamiliar users should be
 19    investigated. If known behavior is causing false positives, it can be exempted from the rule.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail*"]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "AWS S3 Bucket Server Access Logging Disabled"
 27note = """
 28## Triage and analysis
 29
 30### Investigating AWS S3 Bucket Server Access Logging Disabled
 31
 32> **Disclaimer**:
 33> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 34
 35This detection alerts when the server-access logging configuration for an S3 bucket is changed so that logging is disabled.  
 36Because detailed request logs are central to tracking object access, modifications here are significant from a visibility and forensics standpoint. They can signal that an adversary is preparing to act (exfiltrate, delete, or manipulate data) while minimizing audit evidence.
 37
 38#### Possible investigation steps
 39
 40**Identify the actor and context**
 41   - Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.access_key_id` to determine the who/what of the change.  
 42   - Inspect `user_agent.original`, `source.ip`, `@timestamp`, `cloud.account.id`, `cloud.region` for unusual or non-standard access patterns (e.g., new user, external IP, off-hours).
 43   - Check the bucket resource (via `aws.cloudtrail.resources.arn`, `aws.cloudtrail.resources.type`) to determine the bucket’s business role (e.g., logs, backups, sensitive data store).
 44        - Consider whether the bucket houses audit logs or access logs; if so, disabling logging is especially suspicious and a higher risk.
 45
 46**Correlate with related activities**
 47   - Search for preceding or subsequent events by the same principal or for the same bucket:  
 48     - `DeleteObject`, `PutBucketAcl`, `PutBucketPolicy`, `RemoveBucketAccessPoint`, or other permissions changes (e.g., `PutBucketLifecycle`).  
 49     - `ListBucket`, `GetObject`, `CopyObject`, or large `GetObject` operations, especially from unusual IPs or cross-account.  
 50     - IAM changes in proximity: `AttachUserPolicy`, `CreateAccessKey`, `AssumeRole` by same principal or against the same principal.  
 51   - Review AWS Config or Audit logs to see if the bucket’s logging was previously enabled and how long it has been disabled.
 52
 53**Evaluate intent and risk**
 54   - If the bucket was being used to collect access logs or audit data, disabling logging significantly degrades forensic capability.  
 55   - Determine whether the actor has a legitimate business reason for modifying logging (ticket, change request, known automation).  
 56   - If not justified, treat this as a high-priority visibility compromise and proceed through escalation.
 57
 58### False positive analysis
 59
 60- Storage teams may disable logging temporarily during migration or cost-optimisation exercises.  
 61- Test or development buckets may routinely toggle logging for experimentation—document such buckets and roles.  
 62- Trusted automation (tagged, known user-agent, internal IPs) may adjust logging. Consider allow-listing such automation while preserving watch-points for changes to high-sensitivity buckets.
 63
 64### Response and remediation
 65
 66**1. Contain & restore visibility**
 67   - Immediately re-enable server‐access logging for the affected bucket (ensure `LoggingEnabled=true` and correct `TargetBucket/Prefix`).  
 68   - If you suspect activity while logging was disabled, preserve any remaining object versions, cross-account access logs, or S3 Inventory data.  
 69
 70**2. Investigate scope and impact**
 71   - Use CloudTrail Lake or Athena to query access to the bucket and objects for the timeframe when logging was disabled.  
 72   - Identify external IP addresses, unusual principals, or rapid object transfers or deletions.
 73
 74**3. Recover & harden**
 75   - Apply bucket-policy or SCP restrictions to prevent unauthorized modifications of `PutBucketLogging` for audit/logging buckets.  
 76   - Enable AWS Config rule (e.g., `cloudtrail-s3-bucket-access-logging`) to alert if logging is disabled.  
 77   - Ensure logging target buckets are configured with retention, versioning, and immutability (S3 Object Lock) to prevent tampering.
 78
 79**4. Improve & monitor**
 80   - Update your incident response playbook to include this scenario (see AWS IR + Customer Playbook Framework).  
 81   - Educate stakeholders (storage, DevOps, security) that any change to logging configuration on buckets — especially audit/log buckets should be treated as a security event and ticketed.
 82
 83### Additional information
 84
 85- AWS documentation on [S3 Server Access Logging](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html)  
 86- [AWS Incident Response Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/tree/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks)  
 87- [AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)  
 88"""
 89references = [
 90    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html",
 91    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html",
 92]
 93risk_score = 47
 94rule_id = "a6788d4b-b241-4bf0-8986-a3b4315c5b70"
 95severity = "medium"
 96tags = [
 97    "Domain: Cloud",
 98    "Data Source: AWS",
 99    "Data Source: Amazon Web Services",
100    "Data Source: Amazon S3",
101    "Use Case: Asset Visibility",
102    "Tactic: Defense Evasion",
103    "Resources: Investigation Guide",
104]
105timestamp_override = "event.ingested"
106type = "eql"
107
108query = '''
109info where event.dataset == "aws.cloudtrail"
110   and event.provider == "s3.amazonaws.com"
111   and event.action == "PutBucketLogging"
112   and event.outcome == "success"
113   and not stringContains(aws.cloudtrail.request_parameters, "LoggingEnabled")
114'''
115
116
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119[[rule.threat.technique]]
120id = "T1562"
121name = "Impair Defenses"
122reference = "https://attack.mitre.org/techniques/T1562/"
123[[rule.threat.technique.subtechnique]]
124id = "T1562.008"
125name = "Disable or Modify Cloud Logs"
126reference = "https://attack.mitre.org/techniques/T1562/008/"
127
128
129
130[rule.threat.tactic]
131id = "TA0005"
132name = "Defense Evasion"
133reference = "https://attack.mitre.org/tactics/TA0005/"
134
135[rule.investigation_fields]
136field_names = [
137    "@timestamp",
138    "user.name",
139    "user_agent.original",
140    "source.ip",
141    "aws.cloudtrail.user_identity.arn",
142    "aws.cloudtrail.user_identity.type",
143    "aws.cloudtrail.user_identity.access_key_id",
144    "aws.cloudtrail.resources.arn",
145    "aws.cloudtrail.resources.type",
146    "event.action",
147    "event.outcome",
148    "cloud.account.id",
149    "cloud.region",
150    "aws.cloudtrail.request_parameters",
151]