AWS Bucket Deleted
Detects the deletion of S3 buckets in AWS CloudTrail logs. Monitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.
Sigma rule (View on GitHub)
1title: AWS Bucket Deleted
2id: 39c9f26d-6e3b-4dbb-9c7a-4154b0281112
3status: experimental
4description: |
5 Detects the deletion of S3 buckets in AWS CloudTrail logs.
6 Monitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.
7references:
8 - https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html
9 - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket.html
10author: Ivan Saakov, Nasreddine Bencherchali
11date: 2025-10-19
12tags:
13 - attack.stealth
14logsource:
15 product: aws
16 service: cloudtrail
17detection:
18 selection_event_name:
19 eventName: 'DeleteBucket'
20 selection_status_success:
21 errorCode: 'Success'
22 selection_status_null:
23 errorCode: null
24 condition: selection_event_name and 1 of selection_status_*
25falsepositives:
26 - During maintenance operations or testing, authorized administrators may delete S3 buckets as part of routine data management or cleanup activities.
27level: medium
References
-
Deletes the S3 bucket. All objects (including all object versions and delete markers) in the bucket must be deleted before the bucket itself can be deleted.
Read More -
Related rules
- .RDP File Created By Uncommon Application
- ADS Zone.Identifier Deleted By Uncommon Application
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity
- APT29 2018 Phishing Campaign CommandLine Indicators