An AWS S3 bucket mfaDelete is disabled

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect if versioning or MFA delete was disabled within an AWS S3 bucket’s Lifecycle configuration.

Strategy

This rule has two separate queries. The first query determines if @requestParameters.VersioningConfiguration.MfaDelete is set to Disabled. The second query determines if @requestParameters.VersioningConfiguration.Status is set to Suspended. For generating a signal, there are two cases. Case one generates a Medium signal if query one AND two return true. Case two will generate a Low signal if query one OR two returns true.

NOTE: Versioning cannot be disabled permanently; only suspended until turned back on, once it has been enabled on a bucket.

Triage & Response

Determine if {{@evt.name}} should have occurred on the {{@requestParameters.bucketName}} by username: {{@userIdentity.sessionContext.sessionIssuer.userName}}, accountId: {{@userIdentity.accountId}} of type: {{@userIdentity.assumed_role}}.

PREVIEWING: rtrieu/product-analytics-ui-changes