An AWS S3 bucket mfaDelete is disabled
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect if versioning or MFA delete was disabled within an AWS S3 bucket’s Lifecycle configuration.
Strategy
This rule has two separate queries. The first query determines if @requestParameters.VersioningConfiguration.MfaDelete
is set to Disabled
. The second query determines if @requestParameters.VersioningConfiguration.Status
is set to Suspended
. For generating a signal, there are two cases. Case one generates a Medium
signal if query one AND two return true
. Case two will generate a Low
signal if query one OR two returns true
.
NOTE: Versioning cannot be disabled permanently; only suspended until turned back on, once it has been enabled on a bucket.
Triage & Response
Determine if {{@evt.name}}
should have occurred on the {{@requestParameters.bucketName}}
by username:
{{@userIdentity.sessionContext.sessionIssuer.userName}}
, accountId:
{{@userIdentity.accountId}}
of type:
{{@userIdentity.assumed_role}}
.