AWS S3 Bucket Versioning Disabled
An adversary disables AWS S3 bucket versioning, preventing recovery of deleted or modified data as a potential precursor to data exfiltration or ransomware activity.
This detection identifies instances where an AWS user suspends versioning on an S3 bucket. The activity is logged via AWS CloudTrail and surfaced through Amazon Security Lake. This action is performed using the PutBucketVersioning API call and setting the VersioningConfiguration.Status to Suspended. While legitimate administrators may disable versioning for cost reasons, this activity can also be a precursor to malicious actions, such as data exfiltration or ransomware deployment by preventing recovery of previous object versions. Identifying this activity allows defenders to proactively respond to potential data compromise or data loss scenarios.
Attack Chain
- An attacker gains unauthorized access to an AWS account, possibly through compromised credentials or exploiting an IAM role.
- The attacker enumerates existing S3 buckets to identify potential targets for data exfiltration or disruption.
- The attacker executes the
PutBucketVersioningAPI call, setting theVersioningConfiguration.StatustoSuspendedfor a target S3 bucket. - The S3 bucket no longer retains previous versions of objects. Any subsequent modification or deletion of objects is permanent.
- The attacker uploads malicious files to the S3 bucket, or encrypts existing data rendering it unusable.
- The attacker may then attempt to exfiltrate the data from the compromised S3 bucket.
- The attacker covers their tracks by deleting CloudTrail logs, if possible.
Impact
Disabling S3 bucket versioning can lead to significant data loss, especially in the event of accidental or malicious deletion or modification. This can impact business continuity and recovery efforts. If followed by ransomware activity, the organization may suffer data encryption, system downtime, and financial losses related to recovery and potential ransom payments. The number of affected buckets and the sensitivity of the data contained within them will determine the extent of the impact.
Recommendation
- Deploy the Sigma rule
Detect AWS S3 Bucket Versioning Suspensionto your SIEM and tune for your environment to detect suspicious disabling of bucket versioning. - Investigate any instances of disabled bucket versioning using the provided
drilldown_searchesto identify the user, source IP, and other related events. - Implement multi-factor authentication (MFA) for all AWS accounts and IAM roles to reduce the risk of unauthorized access.
- Monitor CloudTrail logs for unusual API activity, particularly changes to S3 bucket configurations.
- Enforce the principle of least privilege to limit the IAM permissions available to users and roles.
- Review bucket access policies to ensure that only authorized users and services have access to sensitive data.
Detection coverage 2
Detect AWS S3 Bucket Versioning Suspension
mediumDetects when an AWS S3 bucket's versioning is suspended via the PutBucketVersioning API call.
Detect ASL AWS S3 Bucket Versioning Disabled
mediumDetects when AWS S3 bucket versioning is suspended in Amazon Security Lake logs.
Detection queries are available on the platform. Get full rules →