AWS S3 Data Management Tampering

 1title: AWS S3 Data Management Tampering
 2id: 78b3756a-7804-4ef7-8555-7b9024a02e2d
 3status: test
 4description: Detects when a user tampers with S3 data management in Amazon Web Services.
 5references:
 6    - https://github.com/elastic/detection-rules/pull/1145/files
 7    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
 8    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html
 9    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html
10    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
11    - https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html
12    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
13author: Austin Songer @austinsonger
14date: 2021/07/24
15modified: 2022/10/09
16tags:
17    - attack.exfiltration
18    - attack.t1537
19logsource:
20    product: aws
21    service: cloudtrail
22detection:
23    selection:
24        eventSource: s3.amazonaws.com
25        eventName:
26            - PutBucketLogging
27            - PutBucketWebsite
28            - PutEncryptionConfiguration
29            - PutLifecycleConfiguration
30            - PutReplicationConfiguration
31            - ReplicateObject
32            - RestoreObject
33    condition: selection
34falsepositives:
35    - A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
36level: low

References

• [New Rule] AWS S3 Data Management Tampering by austinsonger · Pull Request #1145 · elastic/detection-rules

  

  Issues Resolves #1123 Summary Detects threat actors tampering with S3 data management in Amazon Web Services Contributor checklist Have you signed the contributor license agreement? Have you foll...

  
  Read More

• Actions - Amazon Simple Storage Service

  The following actions are supported by Amazon S3:

  
  Read More

• PutBucketLogging - Amazon Simple Storage Service

  Set the logging parameters for a bucket and to specify permissions for who can view and modify the logging parameters. All logs are saved to buckets in the same AWS Region as the source bucket. To set the logging status of a bucket, you must be the bucket owner.

  
  Read More

• PutBucketWebsite - Amazon Simple Storage Service

  Sets the configuration of the website that is specified in the website subresource. To configure a bucket as a website, you can add this subresource on the bucket with website configuration information such as the file name of the index document and any redirect rules. For more information, see

  
  Read More

• PutBucketEncryption - Amazon Simple Storage Service

  This action uses the encryption subresource to configure default encryption and Amazon S3 Bucket Keys for an existing bucket.

  
  Read More

• Setting up permissions - Amazon Simple Storage Service

  Explanation of necessary permissions for replication.

  
  Read More

• RestoreObject - Amazon Simple Storage Service

  Restores an archived copy of an object back into Amazon S3

  
  Read More

Related rules

• AWS Snapshot Backup Exfiltration
• Data Exfiltration to Unsanctioned Apps
• Suspicious BlackCat-Related Exfiltration Command
• Restore Public AWS RDS Instance
• Suspicious Inbox Forwarding