An AWS S3 bucket mfaDelete is disabled
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect if versioning or MFA delete was disabled within an AWS S3 bucket’s Lifecycle configuration.
Strategy
This rule has two separate queries. The first query determines if @requestParameters.VersioningConfiguration.MfaDelete
is set to Disabled
. The second query determines if @requestParameters.VersioningConfiguration.Status
is set to Suspended
. For generating a signal, there are two cases. Case one generates a Medium
signal if query one AND two return true
. Case two will generate a Low
signal if query one OR two returns true
.
NOTE: Versioning cannot be disabled permanently; only suspended until turned back on, once it has been enabled on a bucket.
Triage & Response
Determine if {{@evt.name}}
should have occurred on the {{@requestParameters.bucketName}}
by username:
{{@userIdentity.sessionContext.sessionIssuer.userName}}
, accountId:
{{@userIdentity.accountId}}
of type:
{{@userIdentity.assumed_role}}
.