An AWS S3 bucket lifecycle expiration policy was set to disabled

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect if an AWS S3 lifecycle expiration policy is set to disabled in your CloudTrail logs.

Strategy

Check if @requestParameters.LifecycleConfiguration.Rule.Expiration.Days, @requestParameters.LifecycleConfiguration.Status:Disabled and @evt.name:PutBucketLifecycle fields are present in your S3 Lifecycle configuration log. If these fields are present together, a bucket’s lifecycle configuration has been turned off.

Triage & Response

  1. Determine if {{@evt.name}} should have occurred on the {{@requestParameters.bucketName}} by username: {{@userIdentity.sessionContext.sessionIssuer.userName}}, accountId: {{@userIdentity.accountId}} of type: {{@userIdentity.assumed_role}}.
  2. If the {{@requestParameters.bucketName}} should not be disabled, escalate to engineering so they can re-enable it.