From 8805f73eb4c1f39214f207996364809f79421c96 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Tue, 28 Oct 2025 20:15:04 -0400 Subject: [PATCH 1/2] [Rule Tuning] AWS S3 Object Versioning Suspended AWS S3 Object Versioning Suspended This rule is performing well in telemetry, no major query changes in terms of detection logic or rule type. - to improve performance, changed event category field to `event.type` since `event.category` is not mapped for `PutBucketVersioning` event.action. This avoids use of `any` in query. - added `event.provider == "s3.amazonaws.com"` to query - added highlighted fields - updated investigation guide --- .../impact_s3_object_versioning_disabled.toml | 102 ++++++++++++++---- 1 file changed, 79 insertions(+), 23 deletions(-) diff --git a/rules/integrations/aws/impact_s3_object_versioning_disabled.toml b/rules/integrations/aws/impact_s3_object_versioning_disabled.toml index cc015fbf8e4..eb2858ecffc 100644 --- a/rules/integrations/aws/impact_s3_object_versioning_disabled.toml +++ b/rules/integrations/aws/impact_s3_object_versioning_disabled.toml @@ -2,13 +2,14 @@ creation_date = "2024/07/12" integration = ["aws"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/10/28" [rule] author = ["Elastic"] description = """ Identifies when object versioning is suspended for an Amazon S3 bucket. Object versioning allows for multiple versions of an object to exist in the same bucket. This allows for easy recovery of deleted or overwritten objects. When object versioning is suspended for a bucket, it could indicate an adversary's attempt to inhibit system recovery following malicious activity. Additionally, when versioning is suspended, buckets can then be deleted. """ +event_category_override = "event.type" false_positives = [ """ Administrators within an AWS Organization structure may legitimately suspend object versioning. Ensure that this behavior is not part of a legitimate operation before taking action. @@ -21,38 +22,75 @@ license = "Elastic License v2" name = "AWS S3 Object Versioning Suspended" note = """ -## Triage and analysis +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +note = """## Triage and analysis ### Investigating AWS S3 Object Versioning Suspended -This rule detects when object versioning for an S3 bucket is suspended. Adversaries with access to a misconfigured S3 bucket may disable object versioning prior to replacing or deleting S3 objects, inhibiting recovery initiatives. -This rule uses [EQL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-eql-rule) to look for use of the `PutBucketVersioning` operation where the `request_parameters` include `Status=Suspended`. +This rule detects when object versioning for an S3 bucket is suspended. S3 object versioning protects against data loss by maintaining prior versions of objects, allowing recovery if they are deleted or overwritten. +Adversaries with access to a misconfigured or compromised S3 bucket may disable versioning to inhibit recovery efforts, conceal data destruction, or prepare for ransomware-like activity. +This rule uses [EQL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-eql-rule) to detect use of the `PutBucketVersioning` API operation where the request parameters include `Status=Suspended`. + +#### Possible investigation steps + +- **Identify the Actor** + - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine who performed the action. + - Verify whether this user or role has a legitimate operational reason to modify bucket versioning and whether such actions are common for this identity. + +- **Analyze the Source and Context** + - Review `source.ip` and `user_agent.original` to assess the origin of the request. + - Check for unusual geographic locations, IP ranges, or clients that do not typically manage storage configurations. -#### Possible Investigation Steps: +- **Evaluate the Affected Resource** + - Review `aws.cloudtrail.resources.arn` or `aws.cloudtrail.request_parameters` to identify which bucket’s versioning was modified. + - Determine whether this bucket contains critical or regulated data (logs, backups, audit evidence, etc.) that would be impacted by versioning suspension. -- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions. -- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access. -- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities. -- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects including older object versions. -- **Interview Relevant Personnel**: If the copy event was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing S3 buckets. +- **Correlate with Related Activity** + - Search for additional CloudTrail events performed by the same actor or IP address within the same timeframe, such as: + - `DeleteObject`, `DeleteObjects`, or `PutBucketLifecycle` events (potential data destruction). + - `PutBucketPolicy` or `PutBucketAcl` changes (permission manipulation). + - Review other detections related to S3 buckets or IAM changes to determine if this event is part of a larger sequence of destructive or unauthorized actions. -### False Positive Analysis: +- **Validate Intent** + - Confirm whether this configuration change aligns with approved maintenance or automation activity (e.g., cost optimization, test environment reset). + - If no corresponding change request or justification exists, treat this as a potential defense evasion or impact event. -- **Legitimate Administrative Actions**: Confirm if the action aligns with legitimate administrative tasks documented in change management systems. -- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm. +### False positive analysis -### Response and Remediation: +- **Legitimate Administrative Actions** + - Administrators or infrastructure automation tools may suspend versioning during migrations or lifecycle testing. Confirm through change management documentation. +- **Automation and Pipelines** + - Verify whether Infrastructure-as-Code tools (e.g., Terraform, CloudFormation) or backup lifecycle scripts routinely modify versioning states. + - Exclude predictable automation identities where justified, while ensuring strong audit controls remain in place. -- **Immediate Review**: If the activity was unauthorized, search for replaced or deleted objects and review the bucket's access logs for any suspicious activity. -- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware. -- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege. -- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences. +### Response and remediation -### Additional Information: +**Containment and Validation** +- Re-enable versioning immediately for the affected bucket using the AWS Console or CLI (`aws s3api put-bucket-versioning --bucket my-bucket --versioning-configuration Status=Enabled`). +- Verify the change with `get-bucket-versioning` to confirm the bucket is restored to “Enabled.” +- Identify IAM users or roles with `s3:PutBucketVersioning` permissions and restrict access to trusted administrators only. +- Preserve relevant CloudTrail, Config, and CloudWatch logs for the timeframe of the change to ensure integrity of investigation evidence. -For further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection: -- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf) -- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/) +**Investigation and Scoping** +- Search CloudTrail for related actions by the same user or IP, including `DeleteObject`, `PutBucketLifecycle`, or `PutBucketPolicy`, to determine whether versioning suspension preceded object deletion or policy manipulation. +- Review S3 access logs or Data Events for deleted, overwritten, or newly uploaded files after versioning suspension. +- Validate if the change corresponds to an authorized change request or approved pipeline deployment. + +**Recovery and Hardening** +- If object loss or overwrites occurred, attempt recovery using cross-region replication, AWS Backup, or previous snapshot copies. +- Enable S3 Object Lock and MFA Delete on critical buckets to prevent future tampering. +- Configure the AWS Config rule `s3-bucket-versioning-enabled` to continuously monitor for versioning suspension and trigger automated alerts. +- Review IAM and service control policies to ensure the principle of least privilege is enforced for all S3 management actions. +- Document findings and update incident response procedures to include versioning protection as part of ransomware and data destruction prevention strategies. + + +### Additional information +- AWS Documentation: [Using Versioning in S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html) +- API Reference: [PutBucketVersioning](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketVersioning.html) +- [AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/) +- [AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs) """ references = [ "https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html/", @@ -77,7 +115,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.dataset == "aws.cloudtrail" +info where event.dataset == "aws.cloudtrail" + and event.provider == "s3.amazonaws.com" and event.action == "PutBucketVersioning" and event.outcome == "success" and stringContains(aws.cloudtrail.request_parameters, "Status=Suspended") @@ -97,3 +136,20 @@ id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.resources.arn", # if action taken against a resource + "aws.cloudtrail.resources.type", # if action taken against a resource + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters" +] From dc79911cb317d5ed03ab625fb42ebd11bba1ed6e Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Tue, 28 Oct 2025 20:28:38 -0400 Subject: [PATCH 2/2] removed some copy errors --- .../aws/impact_s3_object_versioning_disabled.toml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/rules/integrations/aws/impact_s3_object_versioning_disabled.toml b/rules/integrations/aws/impact_s3_object_versioning_disabled.toml index eb2858ecffc..36d37783437 100644 --- a/rules/integrations/aws/impact_s3_object_versioning_disabled.toml +++ b/rules/integrations/aws/impact_s3_object_versioning_disabled.toml @@ -20,13 +20,11 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "eql" license = "Elastic License v2" name = "AWS S3 Object Versioning Suspended" -note = """ +note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -note = """## Triage and analysis - ### Investigating AWS S3 Object Versioning Suspended This rule detects when object versioning for an S3 bucket is suspended. S3 object versioning protects against data loss by maintaining prior versions of objects, allowing recovery if they are deleted or overwritten. @@ -145,8 +143,8 @@ field_names = [ "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.access_key_id", - "aws.cloudtrail.resources.arn", # if action taken against a resource - "aws.cloudtrail.resources.type", # if action taken against a resource + "aws.cloudtrail.resources.arn", + "aws.cloudtrail.resources.type", "event.action", "event.outcome", "cloud.account.id",