AWS S3 Bucket Server Access Logging Disabled
An adversary may disable server access logging for an Amazon S3 bucket in order to impair defenses by removing logs that contain evidence of malicious activity.
This detection identifies when server access logging is disabled for an Amazon S3 bucket. S3 server access logs provide a detailed record of requests made to a bucket, crucial for security monitoring and incident response. Disabling these logs impairs defenses by removing evidence of malicious activity, potentially indicating an adversary's attempt to hide their actions within the AWS environment. This activity is detected by analyzing AWS CloudTrail logs for PutBucketLogging events where the LoggingEnabled parameter is absent or explicitly disabled. The focus is on successful events that indicate a configuration change resulting in the cessation of logging, which is a key indicator of potential malicious intent to evade detection and forensic analysis. This event is particularly concerning if the affected bucket is used to store audit or access logs.
Attack Chain
- The attacker gains initial access to the AWS environment, potentially through compromised credentials or a misconfigured IAM role.
- The attacker identifies an S3 bucket of interest, possibly containing sensitive data or logs.
- The attacker uses AWS CLI, API calls, or the AWS Management Console to execute the
PutBucketLoggingaction against the target S3 bucket. - The
PutBucketLoggingrequest is crafted without theLoggingEnabledparameter or with the parameter explicitly set to disable logging. - The S3 service processes the request and successfully disables server access logging for the specified bucket.
- The AWS CloudTrail service records the
PutBucketLoggingevent with an outcome of "success". - The attacker may then perform actions such as
GetObject,CopyObject, orDeleteObjecton the S3 bucket without generating server access logs. - The attacker attempts to cover their tracks by deleting CloudTrail logs or further modifying IAM policies.
Impact
Disabling S3 server access logging significantly reduces the ability to monitor access to the S3 bucket, hindering incident response and forensic investigations. If the S3 bucket contains sensitive data, an attacker could exfiltrate or manipulate the data without detection. This could lead to data breaches, financial loss, and reputational damage. The impact is magnified if the bucket is used to store audit logs, as it impairs the ability to detect and investigate other security incidents.
Recommendation
- Deploy the Sigma rule
AWS S3 Bucket Server Access Logging Disabledto your SIEM and tune for your environment to detect the disabling of S3 bucket logging. - Enable AWS Config rule
cloudtrail-s3-bucket-access-loggingto alert if logging is disabled, as recommended in the overview. - Apply bucket-policy or SCP restrictions to prevent unauthorized modifications of
PutBucketLoggingfor audit/logging buckets, as mentioned in the overview. - Review AWS Config or Audit logs to see if the bucket’s logging was previously enabled and how long it has been disabled.
- Monitor CloudTrail logs for preceding or subsequent events by the same principal or for the same bucket related to permissions changes, such as
PutBucketAcl,PutBucketPolicy, orRemoveBucketAccessPoint.
Detection coverage 2
AWS S3 Bucket Server Access Logging Disabled
mediumDetects when server access logging is disabled for an Amazon S3 bucket.
AWS S3 Bucket Server Access Logging Disabled - EQL
mediumDetects when server access logging is disabled for an Amazon S3 bucket using EQL.
Detection queries are available on the platform. Get full rules →