AWS S3 Object Versioning Suspended

  1[metadata]
  2creation_date = "2024/07/12"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/16"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when object versioning is suspended for an Amazon S3 bucket. Object versioning allows for multiple versions of an object to exist in the same bucket. This allows for easy recovery of deleted or overwritten objects. When object versioning is suspended for a bucket, it could indicate an adversary's attempt to inhibit system recovery following malicious activity. Additionally, when versioning is suspended, buckets can then be deleted.
 11"""
 12event_category_override = "event.type"
 13false_positives = [
 14    """
 15    Administrators within an AWS Organization structure may legitimately suspend object versioning. Ensure that this behavior is not part of a legitimate operation before taking action.
 16    """,
 17]
 18from = "now-6m"
 19index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 20language = "eql"
 21license = "Elastic License v2"
 22name = "AWS S3 Object Versioning Suspended"
 23note = """## Triage and analysis
 24
 25### Investigating AWS S3 Object Versioning Suspended
 26
 27This rule detects when object versioning for an S3 bucket is suspended. S3 object versioning protects against data loss by maintaining prior versions of objects, allowing recovery if they are deleted or overwritten.  
 28Adversaries with access to a misconfigured or compromised S3 bucket may disable versioning to inhibit recovery efforts, conceal data destruction, or prepare for ransomware-like activity.  
 29This rule uses [EQL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-eql-rule) to detect use of the `PutBucketVersioning` API operation where the request parameters include `Status=Suspended`.
 30
 31#### Possible investigation steps
 32
 33- **Identify the Actor**  
 34  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine who performed the action.  
 35  - Verify whether this user or role has a legitimate operational reason to modify bucket versioning and whether such actions are common for this identity.
 36
 37- **Analyze the Source and Context**  
 38  - Review `source.ip` and `user_agent.original` to assess the origin of the request.  
 39  - Check for unusual geographic locations, IP ranges, or clients that do not typically manage storage configurations.  
 40
 41- **Evaluate the Affected Resource**  
 42  - Review `aws.cloudtrail.resources.arn` or `aws.cloudtrail.request_parameters` to identify which bucket’s versioning was modified.  
 43  - Determine whether this bucket contains critical or regulated data (logs, backups, audit evidence, etc.) that would be impacted by versioning suspension.
 44
 45- **Correlate with Related Activity**  
 46  - Search for additional CloudTrail events performed by the same actor or IP address within the same timeframe, such as:  
 47    - `DeleteObject`, `DeleteObjects`, or `PutBucketLifecycle` events (potential data destruction).  
 48    - `PutBucketPolicy` or `PutBucketAcl` changes (permission manipulation).  
 49  - Review other detections related to S3 buckets or IAM changes to determine if this event is part of a larger sequence of destructive or unauthorized actions.
 50
 51- **Validate Intent**  
 52  - Confirm whether this configuration change aligns with approved maintenance or automation activity (e.g., cost optimization, test environment reset).  
 53  - If no corresponding change request or justification exists, treat this as a potential defense evasion or impact event.
 54
 55### False positive analysis
 56
 57- **Legitimate Administrative Actions**  
 58  - Administrators or infrastructure automation tools may suspend versioning during migrations or lifecycle testing. Confirm through change management documentation.  
 59- **Automation and Pipelines**  
 60  - Verify whether Infrastructure-as-Code tools (e.g., Terraform, CloudFormation) or backup lifecycle scripts routinely modify versioning states.  
 61  - Exclude predictable automation identities where justified, while ensuring strong audit controls remain in place.
 62
 63### Response and remediation
 64
 65**Containment and Validation**  
 66- Re-enable versioning immediately for the affected bucket using the AWS Console or CLI (`aws s3api put-bucket-versioning --bucket my-bucket --versioning-configuration Status=Enabled`).  
 67- Verify the change with `get-bucket-versioning` to confirm the bucket is restored to “Enabled.”  
 68- Identify IAM users or roles with `s3:PutBucketVersioning` permissions and restrict access to trusted administrators only.  
 69- Preserve relevant CloudTrail, Config, and CloudWatch logs for the timeframe of the change to ensure integrity of investigation evidence.
 70
 71**Investigation and Scoping**  
 72- Search CloudTrail for related actions by the same user or IP, including `DeleteObject`, `PutBucketLifecycle`, or `PutBucketPolicy`, to determine whether versioning suspension preceded object deletion or policy manipulation.  
 73- Review S3 access logs or Data Events for deleted, overwritten, or newly uploaded files after versioning suspension.  
 74- Validate if the change corresponds to an authorized change request or approved pipeline deployment.
 75
 76**Recovery and Hardening**  
 77- If object loss or overwrites occurred, attempt recovery using cross-region replication, AWS Backup, or previous snapshot copies.  
 78- Enable S3 Object Lock and MFA Delete on critical buckets to prevent future tampering.  
 79- Configure the AWS Config rule `s3-bucket-versioning-enabled` to continuously monitor for versioning suspension and trigger automated alerts.  
 80- Review IAM and service control policies to ensure the principle of least privilege is enforced for all S3 management actions.  
 81- Document findings and update incident response procedures to include versioning protection as part of ransomware and data destruction prevention strategies.
 82
 83
 84### Additional information
 85- AWS Documentation: [Using Versioning in S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html)  
 86- API Reference: [PutBucketVersioning](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketVersioning.html)  
 87- [AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)
 88- [AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)
 89"""
 90references = [
 91    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html/",
 92    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketVersioning.html/",
 93    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation/",
 94    "https://www.invictus-ir.com/news/ransomware-in-the-cloud/",
 95    "https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/",
 96]
 97risk_score = 47
 98rule_id = "30b5bb96-c7db-492c-80e9-1eab00db580b"
 99severity = "medium"
100tags = [
101    "Domain: Cloud",
102    "Data Source: AWS",
103    "Data Source: Amazon Web Services",
104    "Data Source: AWS S3",
105    "Use Case: Threat Detection",
106    "Tactic: Impact",
107    "Resources: Investigation Guide",
108]
109timestamp_override = "event.ingested"
110type = "eql"
111
112query = '''
113info where event.dataset == "aws.cloudtrail"
114   and event.provider == "s3.amazonaws.com"
115   and event.action == "PutBucketVersioning"
116   and event.outcome == "success"
117   and stringContains(aws.cloudtrail.request_parameters, "Status=Suspended")
118'''
119
120
121[[rule.threat]]
122framework = "MITRE ATT&CK"
123[[rule.threat.technique]]
124id = "T1490"
125name = "Inhibit System Recovery"
126reference = "https://attack.mitre.org/techniques/T1490/"
127
128
129[rule.threat.tactic]
130id = "TA0040"
131name = "Impact"
132reference = "https://attack.mitre.org/tactics/TA0040/"
133
134[rule.investigation_fields]
135field_names = [
136    "@timestamp",
137    "user.name",
138    "user_agent.original",
139    "source.ip",
140    "aws.cloudtrail.user_identity.arn",
141    "aws.cloudtrail.user_identity.type",
142    "aws.cloudtrail.user_identity.access_key_id",
143    "aws.cloudtrail.resources.arn", 
144    "aws.cloudtrail.resources.type", 
145    "event.action",
146    "event.outcome",
147    "cloud.account.id",
148    "cloud.region",
149    "aws.cloudtrail.request_parameters"
150]