Rules Contributing to Suspicious Modification of S3 Bucket Alert

The following rules are used to identify suspicious activity within S3 Bucket logs. Any one or more of these will trigger the Suspicious Modification of S3 Bucket Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

AWS S3 Data Management Tampering

Detects when a user tampers with S3 data management in Amazon Web Services.

AWS S3 Bucket Configuration Deletion

Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.

Modification of AWS S3 Access Control List

This search detects modification of Access Control List of an S3 Bucket.

AWS Defense Evasion PutBucketLifecycle

This analytic identifies `PutBucketLifecycle` events in CloudTrail logs where a user has created a new lifecycle rule for an S3 bucket with a short expiration period.