{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/versioning/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["S3"],"_cs_severities":["medium"],"_cs_tags":["aws","s3","versioning","impact"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies when object versioning is suspended for an Amazon S3 bucket. Object versioning allows for multiple versions of an object to exist in the same bucket, enabling easy recovery of deleted or overwritten objects. Adversaries may disable object versioning to inhibit system recovery following malicious activity, such as data deletion or ransomware deployment. Versioning suspension can also facilitate bucket deletion. The rule leverages AWS CloudTrail logs and specifically looks for \u003ccode\u003ePutBucketVersioning\u003c/code\u003e API calls with a \u0026quot;Status=Suspended\u0026quot; parameter. This activity matters for defenders as it can signify a malicious actor attempting to reduce the recoverability of data within an AWS environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains unauthorized access to an AWS account through compromised credentials or a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe adversary identifies an S3 bucket containing valuable data or backups.\u003c/li\u003e\n\u003cli\u003eThe adversary executes a \u003ccode\u003ePutBucketVersioning\u003c/code\u003e API call to suspend versioning on the target S3 bucket. This can be done using the AWS CLI, SDK, or Management Console.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePutBucketVersioning\u003c/code\u003e request includes the parameter \u003ccode\u003eStatus=Suspended\u003c/code\u003e, which disables object versioning for the bucket.\u003c/li\u003e\n\u003cli\u003eThe successful \u003ccode\u003ePutBucketVersioning\u003c/code\u003e call is logged in AWS CloudTrail.\u003c/li\u003e\n\u003cli\u003eThe adversary proceeds to delete or overwrite objects within the S3 bucket.\u003c/li\u003e\n\u003cli\u003eBecause versioning is suspended, the previous versions of the deleted or overwritten objects are not preserved, preventing easy recovery.\u003c/li\u003e\n\u003cli\u003eThe adversary achieves their objective of hindering system recovery and potentially causing data loss or disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuspending S3 object versioning can lead to significant data loss and hinder system recovery efforts. If an attacker suspends versioning and then deletes or overwrites objects, the organization may be unable to restore the data to its previous state. This can impact critical business operations, compliance requirements, and incident response capabilities. While specific numbers on victim counts are unavailable, the potential impact is high for organizations relying on S3 for data storage and backup.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u003ccode\u003ePutBucketVersioning\u003c/code\u003e API calls with \u003ccode\u003eStatus=Suspended\u003c/code\u003e in AWS CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eEnable AWS Config rule \u003ccode\u003es3-bucket-versioning-enabled\u003c/code\u003e to continuously monitor for versioning suspension and trigger automated alerts.\u003c/li\u003e\n\u003cli\u003eRestrict IAM permissions for \u003ccode\u003es3:PutBucketVersioning\u003c/code\u003e to trusted administrators only to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eReview CloudTrail logs for related actions such as \u003ccode\u003eDeleteObject\u003c/code\u003e, \u003ccode\u003ePutBucketLifecycle\u003c/code\u003e, or \u003ccode\u003ePutBucketPolicy\u003c/code\u003e by the same user or IP to determine whether versioning suspension preceded object deletion or policy manipulation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-12T00:00:00Z","date_published":"2024-07-12T00:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-07-aws-s3-versioning-disabled/","summary":"Detection of S3 bucket versioning suspension via PutBucketVersioning API call, potentially indicating an attempt to inhibit system recovery by making restoration of deleted or overwritten objects impossible.","title":"AWS S3 Object Versioning Suspended","url":"https://feed.craftedsignal.io/briefs/2024-07-aws-s3-versioning-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed - Versioning","version":"https://jsonfeed.org/version/1.1"}