AWS Bucket Deleted
Detects the deletion of S3 buckets in AWS CloudTrail logs. Monitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.
Sigma rule (View on GitHub)
1title: AWS Bucket Deleted
2id: 39c9f26d-6e3b-4dbb-9c7a-4154b0281112
3status: experimental
4description: |
5 Detects the deletion of S3 buckets in AWS CloudTrail logs.
6 Monitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.
7references:
8 - https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html
9 - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket.html
10author: Ivan Saakov, Nasreddine Bencherchali
11date: 2025-10-19
12tags:
13 - attack.defense-evasion
14logsource:
15 product: aws
16 service: cloudtrail
17detection:
18 selection_event_name:
19 eventName: 'DeleteBucket'
20 selection_status_success:
21 errorCode: 'Success'
22 selection_status_null:
23 errorCode: null
24 condition: selection_event_name and 1 of selection_status_*
25falsepositives:
26 - During maintenance operations or testing, authorized administrators may delete S3 buckets as part of routine data management or cleanup activities.
27level: medium
References
-
Deletes the S3 bucket. All objects (including all object versions and delete markers) in the bucket must be deleted before the bucket itself can be deleted.
Read More -
Options --bucket (string) [required] Specifies the bucket being deleted. Directory buckets - When you use this operation with a directory bucket, you must use path-style requests in the format http...
Read More
Related rules
- AWS VPC Flow Logs Deleted
- Sysmon Channel Reference Deletion
- Hacktool - EDR-Freeze Execution
- Potential LSASS Process Dump Via Procdump
- Use Short Name Path in Image