Elastic Security Detection Rules

AWS S3 Bucket Configuration Deletion

Last updated 20 days ago on 2025-10-29
Created 5 years ago on 2020-05-27

About

Identifies the deletion of critical Amazon S3 bucket configurations such as bucket policies, lifecycle configurations or encryption settings. These actions are typically administrative but may also represent adversarial attempts to remove security controls, disable data retention mechanisms, or conceal evidence of malicious activity. Adversaries who gain access to AWS credentials may delete logging, lifecycle, or policy configurations to disrupt forensic visibility and inhibit recovery. For example, deleting a bucket policy can open a bucket to public access or remove protective access restrictions, while deleting lifecycle rules can prevent object archival or automatic backups. Such actions often precede data exfiltration or destructive operations and should be reviewed in context with related S3 or IAM events.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: Amazon S3Use Case: Asset VisibilityTactic: Defense EvasionTactic: ImpactLanguage: kuery
Severity
low
Risk Score
21
MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

Indicator Removal (T1070)(opens in a new tab or window)

Impair Defenses (T1562)(opens in a new tab or window)

Impact (TA0040)(opens in a new tab or window)

Inhibit System Recovery (T1490)(opens in a new tab or window)

False Positive Examples
Bucket configurations may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket configuration deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(opens in a new tab or window)

Query
event.dataset:aws.cloudtrail and 
    event.provider:s3.amazonaws.com and
    event.action:(DeleteBucketPolicy or 
                    DeleteBucketReplication or 
                    DeleteBucketCors or 
                    DeleteBucketEncryption or 
                    DeleteBucketLifecycle) and 
    event.outcome:success

Install detection rules in Elastic Security

Detect AWS S3 Bucket Configuration Deletion in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).