AWS S3 Bucket Expiration Lifecycle Configuration Added

edit

AWS S3 Bucket Expiration Lifecycle Configuration Added

edit

Identifies an expiration lifecycle configuration added to an S3 bucket. Lifecycle configurations can be used to manage objects in a bucket, including setting expiration policies. This rule detects when a lifecycle configuration is added to an S3 bucket, which could indicate that objects in the bucket will be automatically deleted after a specified period of time. This could be used to evade detection by deleting objects that contain evidence of malicious activity.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-aws.cloudtrail*

Severity: low

Risk score: 21

Runs every: 10m

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Data Source: AWS
  • Data Source: Amazon Web Services
  • Data Source: Amazon S3
  • Use Case: Asset Visibility
  • Tactic: Defense Evasion

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and Analysis

Investigating AWS S3 Bucket Expiration Lifecycle Configuration Added

This rule detects when an expiration lifecycle configuration is added to an S3 bucket in AWS. Such configurations can automate the deletion of objects within a bucket after a specified period, potentially obfuscating evidence of unauthorized access or malicious activity by automatically removing logs or other data.

Detailed Investigation Steps

  • Review the Affected S3 Bucket: Check the bucket details (bucketName) where the lifecycle configuration has been added.
  • Determine the contents and importance of the data stored in this bucket to assess the impact of the lifecycle policy.
  • Analyze the Lifecycle Configuration:
  • Expiration Policy: Note the Days parameter under Expiration in the lifecycle rule. This indicates how long after creation data will remain in the bucket before being automatically deleted.
  • Rule ID and Status: Review the ID and Status of the lifecycle rule to understand its operational scope and activation status.
  • User Identity and Activity:
  • User Details: Investigate the user (user_identity.arn) who made the change. Determine whether this user’s role typically involves managing S3 bucket configurations.
  • Authentication Details: Examine the authentication method and whether the access key used (access_key_id) is routinely used for such configurations or if it has deviated from normal usage patterns.
  • Source IP and User Agent:
  • Source IP Address: The IP address (source.ip) from which the request was made can provide clues about the geographical location of the requester. Determine if this location aligns with the user’s known locations.
  • User Agent: Analyze the user agent string to understand the type of client or service that made the request, which can help identify scripted automation versus manual changes.

Possible Indicators of Compromise or Misuse

  • Frequent Changes: Look for frequent modifications to lifecycle policies in the same or multiple buckets, which can indicate attempts to manipulate data retention dynamically.
  • Unusual User Activity: Activities that do not correlate with the user’s typical behavior patterns, such as making changes during odd hours or from unusual locations, should be flagged for further investigation.

False Positive Analysis

  • Verify the operational requirements that might necessitate such lifecycle policies, especially in environments where data retention policies are strictly governed for compliance and cost-saving reasons.

Response and Remediation

  • Immediate Review: If the change was unauthorized, consider reverting the lifecycle configuration change immediately to prevent potential data loss.
  • Enhance Monitoring: Implement monitoring to alert on changes to lifecycle configurations across your S3 environments.
  • User Education: Ensure that users with access to critical resources like S3 buckets are aware of the best practices and company policies regarding data retention and security.

Additional Information

For further guidance on managing S3 lifecycle policies and ensuring compliance with organizational data retention and security policies, refer to the AWS official documentation on S3 Lifecycle Configuration.

Setup

edit

This rule requires S3 data events to be logged to CloudTrail. CloudTrail trails can be configured to log S3 data events in the AWS Management Console or using the AWS CLI.

Rule query

edit
event.dataset: "aws.cloudtrail" and event.provider: "s3.amazonaws.com" and
    event.action: PutBucketLifecycle and event.outcome: success and
    aws.cloudtrail.request_parameters: (*LifecycleConfiguration* and *Expiration=*)

Framework: MITRE ATT&CKTM