AWS S3 Bucket Expiration Lifecycle Configuration Added
editAWS S3 Bucket Expiration Lifecycle Configuration Added
editIdentifies an expiration lifecycle configuration added to an S3 bucket. Lifecycle configurations can be used to manage objects in a bucket, including setting expiration policies. This rule detects when a lifecycle configuration is added to an S3 bucket, which could indicate that objects in the bucket will be automatically deleted after a specified period of time. This could be used to evade detection by deleting objects that contain evidence of malicious activity.
Rule type: query
Rule indices:
- filebeat-*
- logs-aws.cloudtrail*
Severity: low
Risk score: 21
Runs every: 10m
Searches indices from: now-60m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: Amazon Web Services
- Data Source: Amazon S3
- Use Case: Asset Visibility
- Tactic: Defense Evasion
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and Analysis
Investigating AWS S3 Bucket Expiration Lifecycle Configuration Added
This rule detects when an expiration lifecycle configuration is added to an S3 bucket in AWS. Such configurations can automate the deletion of objects within a bucket after a specified period, potentially obfuscating evidence of unauthorized access or malicious activity by automatically removing logs or other data.
Detailed Investigation Steps
-
Review the Affected S3 Bucket: Check the bucket details (
bucketName
) where the lifecycle configuration has been added. - Determine the contents and importance of the data stored in this bucket to assess the impact of the lifecycle policy.
- Analyze the Lifecycle Configuration:
-
Expiration Policy: Note the
Days
parameter underExpiration
in the lifecycle rule. This indicates how long after creation data will remain in the bucket before being automatically deleted. -
Rule ID and Status: Review the
ID
andStatus
of the lifecycle rule to understand its operational scope and activation status. - User Identity and Activity:
-
User Details: Investigate the user (
user_identity.arn
) who made the change. Determine whether this user’s role typically involves managing S3 bucket configurations. -
Authentication Details: Examine the authentication method and whether the access key used (
access_key_id
) is routinely used for such configurations or if it has deviated from normal usage patterns. - Source IP and User Agent:
-
Source IP Address: The IP address (
source.ip
) from which the request was made can provide clues about the geographical location of the requester. Determine if this location aligns with the user’s known locations. - User Agent: Analyze the user agent string to understand the type of client or service that made the request, which can help identify scripted automation versus manual changes.
Possible Indicators of Compromise or Misuse
- Frequent Changes: Look for frequent modifications to lifecycle policies in the same or multiple buckets, which can indicate attempts to manipulate data retention dynamically.
- Unusual User Activity: Activities that do not correlate with the user’s typical behavior patterns, such as making changes during odd hours or from unusual locations, should be flagged for further investigation.
False Positive Analysis
- Verify the operational requirements that might necessitate such lifecycle policies, especially in environments where data retention policies are strictly governed for compliance and cost-saving reasons.
Response and Remediation
- Immediate Review: If the change was unauthorized, consider reverting the lifecycle configuration change immediately to prevent potential data loss.
- Enhance Monitoring: Implement monitoring to alert on changes to lifecycle configurations across your S3 environments.
- User Education: Ensure that users with access to critical resources like S3 buckets are aware of the best practices and company policies regarding data retention and security.
Additional Information
For further guidance on managing S3 lifecycle policies and ensuring compliance with organizational data retention and security policies, refer to the AWS official documentation on S3 Lifecycle Configuration.
Setup
editThis rule requires S3 data events to be logged to CloudTrail. CloudTrail trails can be configured to log S3 data events in the AWS Management Console or using the AWS CLI.
Rule query
editevent.dataset: "aws.cloudtrail" and event.provider: "s3.amazonaws.com" and event.action: PutBucketLifecycle and event.outcome: success and aws.cloudtrail.request_parameters: (*LifecycleConfiguration* and *Expiration=*)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Indicator Removal
- ID: T1070
- Reference URL: https://attack.mitre.org/techniques/T1070/