<  Back to rules search

An AWS S3 bucket lifecycle policy was deleted

cloudtrail

Classification:

attack

Tactic:

Technique:

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

WARNING: Rule is being deprecated on 10 April 2022

Goal

Detect if an entire AWS S3 Lifecycle configuration is deleted from a bucket.

Strategy

Using the @evt.name, the Datadog standard attribute that shows the API call, determine if a DeleteBucketLifecycle call occurred.

Triage & Response

  1. Determine if {{@evt.name}} should have occurred on the {{@requestParameters.bucketName}} by username: {{@usr.name}}, accountId: {{@usr.id}} of type: {{@userIdentity.type}}.
  2. If the {{@evt.name}} API call accidentally occurred, restore the configuration to the {{@requestParameters.bucketName}}. Otherwise, investigate further.

Changelog

08 Mar 2022 - Deprecating rule. If a policy is deleted, the data remains forever.