An AWS S3 bucket lifecycle policy expiration is set to < 90 days

Docs > Datadog Security > OOTB Rules > An AWS S3 bucket lifecycle policy expiration is set to < 90 days

Classification:

attack

Tactic:

Technique:

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when an S3 bucket has a lifecycle configuration set with an expiration policy of less than 90 days.

Strategy

Look for @requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90 in your Cloudtrail logs.

NOTE: This rule should be set to logs that this policy applies to. The @requestParameters.LifecycleConfiguration.Rule.Expiration.Days key path must be set as a measure to do a query.

Triage & response

Determine if {{@evt.name}} should have occurred on the {{@requestParameters.bucketName}} by username: {{@userIdentity.sessionContext.sessionIssuer.userName}}, accountId: {{@userIdentity.accountId}} of type: {{@userIdentity.assumed_role}} and that the {{@requestParameters.bucketName}} bucket should have a file expiration of less than 90 days.
If {{@requestParameters.bucketName}} is equal to {{@aws.s3.bucket}}, the CloudTrail bucket, consider escalating to higher severity and investigating further.