Data Source: Amazon S3

AWS S3 Bucket Configuration Deletion

Nov 14, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: Amazon S3 Use Case: Asset Visibility Tactic: Defense Evasion Tactic: Impact Resources: Investigation Guide ·

Share on:

Identifies the deletion of critical Amazon S3 bucket configurations such as bucket policies, lifecycle configurations or encryption settings. These actions are typically administrative but may also represent adversarial attempts to remove security controls, disable data retention mechanisms, or conceal evidence of malicious activity. Adversaries who gain access to AWS credentials may delete logging, lifecycle, or policy configurations to disrupt forensic visibility and inhibit recovery. For example, deleting a bucket policy can open a bucket to public access or remove protective access restrictions, while deleting lifecycle rules can prevent object archival or automatic backups. Such actions often precede data exfiltration or destructive operations and should be reviewed in context with related S3 or IAM events.

AWS S3 Bucket Server Access Logging Disabled

Nov 10, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: Amazon S3 Use Case: Asset Visibility Tactic: Defense Evasion Resources: Investigation Guide ·

Share on:

Identifies when server access logging is disabled for an Amazon S3 bucket. Server access logs provide a detailed record of requests made to an S3 bucket. When server access logging is disabled for a bucket, it could indicate an adversary's attempt to impair defenses by disabling logs that contain evidence of malicious activity.

AWS S3 Bucket Expiration Lifecycle Configuration Added

Nov 10, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: Amazon S3 Use Case: Asset Visibility Tactic: Defense Evasion Resources: Investigation Guide ·

Share on:

Identifies the addition of an expiration lifecycle configuration to an Amazon S3 bucket. S3 lifecycle rules can automatically delete or transition objects after a defined period. Adversaries can abuse them by configuring auto-deletion of logs, forensic evidence, or sensitive objects to cover their tracks. This rule detects the use of the PutBucketLifecycle or PutBucketLifecycleConfiguration APIs with Expiration parameters, which may indicate an attempt to automate the removal of data to hinder investigation or maintain operational secrecy after malicious activity.

AWS S3 Unauthenticated Bucket Access by Rare Source

Sep 11, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: Amazon S3 Use Case: Asset Visibility Resources: Investigation Guide Tactic: Collection ·

Share on:

Identifies AWS CloudTrail events where an unauthenticated source is attempting to access an S3 bucket. This activity may indicate a misconfigured S3 bucket policy that allows public access to the bucket, potentially exposing sensitive data to unauthorized users. Adversaries can specify --no-sign-request in the AWS CLI to retrieve objects from an S3 bucket without authentication. This is a New Terms rule, which means it will trigger for each unique combination of the source.address and targeted bucket name that has not been seen making this API request.