<  Back to rules search

An AWS S3 bucket lifecycle policy expiration is set to < 90 days

cloudtrail

Classification:

attack

Tactic:

Technique:

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when an S3 bucket has a lifecycle configuration set with an expiration policy of less than 90 days.

Strategy

Look for @requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90 in your Cloudtrail logs.

NOTE: This rule should be set to logs that this policy applies to. The @requestParameters.LifecycleConfiguration.Rule.Expiration.Days key path must be set as a measure to do a query.

Triage & response

  1. Determine if {{@evt.name}} should have occurred on the {{@requestParameters.bucketName}} by username: {{@userIdentity.sessionContext.sessionIssuer.userName}}, accountId: {{@usr.account_id}} of type: {{@userIdentity.assumed_role}} and that the {{@requestParameters.bucketName}} bucket should have a file expiration of less than 90 days.
  2. If {{@requestParameters.bucketName}} is equal to {{@aws.s3.bucket}}, the CloudTrail bucket, consider escalating to higher severity and investigating further.