{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/s3/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["S3"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","s3","data_loss"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe deletion of S3 buckets is a critical event to monitor in AWS environments. While legitimate administrative actions may involve bucket deletion, unauthorized or accidental removal of buckets can lead to significant data loss and business disruption. This brief focuses on detecting such events through AWS CloudTrail logs, which record API calls made within the AWS infrastructure. Monitoring for \u003ccode\u003eDeleteBucket\u003c/code\u003e events helps identify potential malicious activity or unintentional misconfigurations that could compromise data availability and integrity. This detection focuses on identifying DeleteBucket API calls, successful or otherwise, within CloudTrail logs to provide early warning of potential data compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account through compromised credentials or a privilege escalation exploit.\u003c/li\u003e\n\u003cli\u003eThe attacker lists existing S3 buckets to identify potential targets using the \u003ccode\u003eListBuckets\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target S3 bucket containing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to delete the target S3 bucket by issuing a \u003ccode\u003eDeleteBucket\u003c/code\u003e API call using the AWS CLI or SDK.\u003c/li\u003e\n\u003cli\u003eCloudTrail logs the \u003ccode\u003eDeleteBucket\u003c/code\u003e event, including the user identity, timestamp, and bucket name.\u003c/li\u003e\n\u003cli\u003eIf successful, the S3 bucket and its contents are permanently deleted.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to remove CloudTrail logs to cover their tracks, using the \u003ccode\u003eDeleteTrail\u003c/code\u003e API call.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of an S3 bucket results in the permanent loss of all data stored within that bucket. This can lead to service disruption, data breaches, and financial losses, especially if the bucket contained critical business data or backups. The impact can range from temporary inconvenience to complete business failure depending on the criticality of the data lost and the organization\u0026rsquo;s backup and recovery capabilities. Without proper monitoring and alerting, an S3 bucket deletion can go unnoticed for extended periods, hindering incident response efforts and potentially exacerbating the damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect S3 bucket deletion events in CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003eDeleteBucket\u003c/code\u003e events to verify their legitimacy and ensure they were authorized by appropriate personnel.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts to prevent unauthorized access and reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eEnforce strict IAM policies and regularly review user permissions to minimize the blast radius of compromised accounts.\u003c/li\u003e\n\u003cli\u003eEnable versioning on S3 buckets to allow for the recovery of accidentally deleted objects, mitigating the impact of data loss.\u003c/li\u003e\n\u003cli\u003eImplement data backup and disaster recovery plans to ensure business continuity in the event of a successful bucket deletion attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:27:00Z","date_published":"2024-01-02T14:27:00Z","id":"/briefs/2024-01-aws-bucket-deletion/","summary":"An AWS S3 bucket deletion event was detected via CloudTrail logs, potentially indicating data loss or unauthorized access attempts.","title":"AWS S3 Bucket Deletion Detected via CloudTrail","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-bucket-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — S3","version":"https://jsonfeed.org/version/1.1"}