Skip to content
Threat Feed
high threat exploited

AWS S3 Bucket Lifecycle Rule for Rapid Log Deletion

An attacker modifies an AWS S3 bucket lifecycle policy to rapidly expire CloudTrail logs, hindering incident response and forensic analysis.

This threat involves the modification of AWS S3 bucket lifecycle policies to expedite the deletion of CloudTrail logs. The technique focuses on configuring a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. By shortening the retention period, attackers aim to quickly eliminate CloudTrail logs, thereby covering their tracks and impeding forensic investigations. This activity is significant because it directly targets security logging, a critical component for threat detection and incident response. This technique can be used by various threat actors seeking to evade detection within AWS environments.

Attack Chain

  1. The attacker gains unauthorized access to an AWS account, potentially through compromised credentials or a vulnerability.
  2. The attacker identifies the S3 bucket used to store CloudTrail logs.
  3. The attacker uses AWS CLI or the AWS Management Console to execute the PutBucketLifecycle API call.
  4. The PutBucketLifecycle call modifies the lifecycle configuration of the S3 bucket.
  5. The new lifecycle rule specifies a short expiration period (less than three days) for objects in the bucket.
  6. CloudTrail logs within the S3 bucket are automatically deleted after the specified expiration period.
  7. The attacker’s actions are no longer recorded in CloudTrail, hindering incident response.

Impact

Successful execution of this attack leads to the rapid and irreversible deletion of CloudTrail logs. This can severely hamper incident response efforts, making it difficult to trace attacker actions, identify the scope of a breach, and conduct thorough forensic analysis. Organizations may be unable to meet compliance requirements related to data retention and audit logging.

Recommendation

  • Deploy the provided Sigma rule to detect suspicious PutBucketLifecycle events with short expiration periods in your SIEM.
  • Investigate any detected PutBucketLifecycle events modifying S3 bucket lifecycle policies (logsource: ASL AWS CloudTrail).
  • Monitor AWS CloudTrail logs for unusual API calls related to S3 bucket lifecycle management (logsource: ASL AWS CloudTrail).

Detection coverage 2

Detect AWS S3 Bucket Lifecycle Policy Modification for Rapid Deletion

high

Detects modification of an AWS S3 bucket lifecycle policy to enable rapid deletion of logs, potentially to evade detection.

sigma tactics: defense_evasion techniques: T1485.001 sources: cloudtrail, aws

Detect AWS S3 Bucket Lifecycle Policy Modification using ASL

high

Detects modification of an AWS S3 bucket lifecycle policy using Amazon Security Lake logs, setting an expiration period of less than three days.

sigma tactics: defense_evasion techniques: T1485.001 sources: cloudtrail, aws

Detection queries are kept inside the platform. Get full rules →