AWS S3 Bucket Server Access Logging Disabled

  1[metadata]
  2creation_date = "2024/07/12"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2024/07/12"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when server access logging is disabled for an Amazon S3 bucket. Server access logs provide a detailed record of requests made to an S3 bucket.
 11When server access logging is disabled for a bucket, it could indicate an adversary's attempt to impair defenses by disabling logs that contain evidence of malicious activity.
 12"""
 13false_positives = [
 14    """
 15    Bucket logging may be disabled by a system or network administrator. Verify whether the user identity and/or
 16    user agent should be making changes in your environment. Bucket component deletions by unfamiliar
 17    users should be investigated. If known behavior is causing false positives, it can be exempted from the
 18    rule.
 19    """,
 20]
 21from = "now-6m"
 22index = ["filebeat-*", "logs-aws.cloudtrail*"]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "AWS S3 Bucket Server Access Logging Disabled"
 26note = """
 27
 28## Triage and Analysis
 29
 30### Investigating AWS S3 Bucket Server Access Logging Disabled
 31
 32This rule detects when server access logging is disabled for an S3 bucket in AWS. Such configurations could potentially hide evidence of unauthorized access or malicious activity by preventing the recording of those requests.
 33
 34#### Detailed Investigation Steps
 35
 36- **Review the Affected S3 Bucket**: Check the bucket details (`bucketName`) where server access logging has been disabled.
 37    - Determine the contents and importance of the data stored in this bucket to assess the impact of disabled logging.
 38- **Review User Identity and Activity**:
 39  - Investigate the user (`user_identity.arn`) who made the change. Determine whether this user's role typically involves managing S3 bucket configurations.
 40  - Examine the authentication method and whether the access key used (`access_key_id`) is routinely used for such configurations or if it has deviated from normal usage patterns.
 41  - Contact the account owner and confirm whether they are aware of this activity.
 42  - Considering the source IP address and geolocation of the user who issued the command:
 43      - Do they look normal for the calling user?
 44      - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?
 45      - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
 46- **Contextualize with Recent Changes**: Compare this event against recent changes in S3 configurations. Look for any other recent permissions changes or unusual administrative actions.
 47- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
 48  - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.
 49
 50### False Positive Analysis
 51
 52- Verify the operational requirements that might necessitate disabling access logging, especially in environments where data retention policies are strictly governed for compliance and cost-saving reasons.
 53
 54### Response and Remediation
 55
 56- **Immediate Review**: If the change was unauthorized, consider reverting the change immediately to prevent potential data loss.
 57- **Enhance Monitoring**: Implement monitoring to alert on changes to logging configurations across your S3 environments.
 58- **User Education**: Ensure that users with access to critical resources like S3 buckets are aware of the best practices and company policies regarding data retention and security.
 59
 60### Additional Information
 61
 62For further guidance on monitoring Amazon S3 and ensuring compliance with organizational data retention and security policies, refer to the AWS official documentation on [Monitoring Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/monitoring-overview.html).
 63"""
 64references = [
 65    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html",
 66    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html",
 67]
 68risk_score = 47
 69rule_id = "a6788d4b-b241-4bf0-8986-a3b4315c5b70"
 70severity = "medium"
 71tags = [
 72    "Domain: Cloud",
 73    "Data Source: AWS",
 74    "Data Source: Amazon Web Services",
 75    "Data Source: Amazon S3",
 76    "Use Case: Asset Visibility",
 77    "Tactic: Defense Evasion",
 78]
 79timestamp_override = "event.ingested"
 80type = "eql"
 81
 82query = '''
 83any where event.dataset == "aws.cloudtrail" 
 84   and event.action == "PutBucketLogging" 
 85   and event.outcome == "success" 
 86   and not stringContains(aws.cloudtrail.request_parameters, "LoggingEnabled")
 87'''
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1562"
 94name = "Impair Defenses"
 95reference = "https://attack.mitre.org/techniques/T1562/"
 96[[rule.threat.technique.subtechnique]]
 97id = "T1562.008"
 98name = "Disable or Modify Cloud Logs"
 99reference = "https://attack.mitre.org/techniques/T1562/008/"
100
101[rule.threat.tactic]
102id = "TA0005"
103name = "Defense Evasion"
104reference = "https://attack.mitre.org/tactics/TA0005/"