An AWS S3 bucket mfaDelete is disabled

Goal

Detect if versioning or MFA delete was disabled within an AWS S3 bucket’s Lifecycle configuration.

Strategy

This rule has two separate queries. The first query determines if @requestParameters.VersioningConfiguration.MfaDelete is set to Disabled. The second query determines if @requestParameters.VersioningConfiguration.Status is set to Suspended. For generating a signal, there are two cases. Case one generates a Medium signal if query one AND two return true. Case two will generate a Low signal if query one OR two returns true.

NOTE: Versioning cannot be disabled permanently; only suspended until turned back on, once it has been enabled on a bucket.

Triage & Response

Determine if {{@evt.name}} should have occurred on the {{@requestParameters.bucketName}} by username: {{@userIdentity.sessionContext.sessionIssuer.userName}}, accountId: {{@userIdentity.accountId}} of type: {{@userIdentity.assumed_role}}.