AWS S3 Object Versioning Suspended
Detection of S3 bucket versioning suspension via PutBucketVersioning API call, potentially indicating an attempt to inhibit system recovery by making restoration of deleted or overwritten objects impossible.
This detection identifies when object versioning is suspended for an Amazon S3 bucket. Object versioning allows for multiple versions of an object to exist in the same bucket, enabling easy recovery of deleted or overwritten objects. Adversaries may disable object versioning to inhibit system recovery following malicious activity, such as data deletion or ransomware deployment. Versioning suspension can also facilitate bucket deletion. The rule leverages AWS CloudTrail logs and specifically looks for PutBucketVersioning API calls with a "Status=Suspended" parameter. This activity matters for defenders as it can signify a malicious actor attempting to reduce the recoverability of data within an AWS environment.
Attack Chain
- An adversary gains unauthorized access to an AWS account through compromised credentials or a misconfigured IAM role.
- The adversary identifies an S3 bucket containing valuable data or backups.
- The adversary executes a
PutBucketVersioningAPI call to suspend versioning on the target S3 bucket. This can be done using the AWS CLI, SDK, or Management Console. - The
PutBucketVersioningrequest includes the parameterStatus=Suspended, which disables object versioning for the bucket. - The successful
PutBucketVersioningcall is logged in AWS CloudTrail. - The adversary proceeds to delete or overwrite objects within the S3 bucket.
- Because versioning is suspended, the previous versions of the deleted or overwritten objects are not preserved, preventing easy recovery.
- The adversary achieves their objective of hindering system recovery and potentially causing data loss or disruption.
Impact
Suspending S3 object versioning can lead to significant data loss and hinder system recovery efforts. If an attacker suspends versioning and then deletes or overwrites objects, the organization may be unable to restore the data to its previous state. This can impact critical business operations, compliance requirements, and incident response capabilities. While specific numbers on victim counts are unavailable, the potential impact is high for organizations relying on S3 for data storage and backup.
Recommendation
- Deploy the provided Sigma rule to your SIEM to detect
PutBucketVersioningAPI calls withStatus=Suspendedin AWS CloudTrail logs. - Enable AWS Config rule
s3-bucket-versioning-enabledto continuously monitor for versioning suspension and trigger automated alerts. - Restrict IAM permissions for
s3:PutBucketVersioningto trusted administrators only to prevent unauthorized modifications. - Review CloudTrail logs for related actions such as
DeleteObject,PutBucketLifecycle, orPutBucketPolicyby the same user or IP to determine whether versioning suspension preceded object deletion or policy manipulation.
Detection coverage 2
AWS S3 Bucket Versioning Suspended
mediumDetects when S3 bucket versioning is suspended via PutBucketVersioning API call.
AWS S3 Bucket Versioning Suspended - EQL
mediumDetects when S3 bucket versioning is suspended via PutBucketVersioning API call using EQL.
Detection queries are available on the platform. Get full rules →