<  Back to rules search

An AWS S3 bucket lifecycle expiration policy was set to disabled

cloudtrail

Classification:

attack

Tactic:

Technique:

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect if an AWS S3 lifecycle expiration policy is set to disabled in your CloudTrail logs.

Strategy

Check if @requestParameters.LifecycleConfiguration.Rule.Expiration.Days, @requestParameters.LifecycleConfiguration.Status:Disabled and @evt.name:PutBucketLifecycle fields are present in your S3 Lifecycle configuration log. If these fields are present together, a bucket’s lifecycle configuration has been turned off.

Triage & Response

  1. Determine if {{@evt.name}} should have occurred on the {{@requestParameters.bucketName}} by username: {{@userIdentity.sessionContext.sessionIssuer.userName}}, accountId: {{@usr.account_id}} of type: {{@userIdentity.assumed_role}}.
  2. If the {{@requestParameters.bucketName}} should not be disabled, escalate to engineering so they can re-enable it.