An AWS S3 bucket lifecycle expiration policy was set to disabled

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect if an AWS S3 lifecycle expiration policy is set to disabled in your CloudTrail logs.

Strategy

Check if @requestParameters.LifecycleConfiguration.Rule.Expiration.Days, @requestParameters.LifecycleConfiguration.Status:Disabled and @evt.name:PutBucketLifecycle fields are present in your S3 Lifecycle configuration log. If these fields are present together, a bucket’s lifecycle configuration has been turned off.

Triage & Response

  1. Determine if {{@evt.name}} should have occurred on the {{@requestParameters.bucketName}} by username: {{@userIdentity.sessionContext.sessionIssuer.userName}}, accountId: {{@userIdentity.accountId}} of type: {{@userIdentity.assumed_role}}.
  2. If the {{@requestParameters.bucketName}} should not be disabled, escalate to engineering so they can re-enable it.
PREVIEWING: aliciascott/DOCS-9725-Cloudcraft