An AWS S3 bucket lifecycle expiration policy was set to disabled

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect if an AWS S3 lifecycle expiration policy is set to disabled in your CloudTrail logs.

Strategy

Check if @requestParameters.LifecycleConfiguration.Rule.Expiration.Days, @requestParameters.LifecycleConfiguration.Status:Disabled and @evt.name:PutBucketLifecycle fields are present in your S3 Lifecycle configuration log. If these fields are present together, a bucket’s lifecycle configuration has been turned off.

Triage & Response

  1. Determine if {{@evt.name}} should have occurred on the {{@requestParameters.bucketName}} by username: {{@userIdentity.sessionContext.sessionIssuer.userName}}, accountId: {{@userIdentity.accountId}} of type: {{@userIdentity.assumed_role}}.
  2. If the {{@requestParameters.bucketName}} should not be disabled, escalate to engineering so they can re-enable it.
PREVIEWING: rtrieu/product-analytics-ui-changes