AWS S3 bucket versioning suspended unexpectedly
Description
AlphaSOC detected that versioning for an AWS S3 bucket was suspended. AWS S3 bucket versioning is a feature that maintains multiple versions of objects, providing protection against deletions or overwrites. Suspending versioning may indicate that threat actors are attempting to disable data recovery mechanisms in preparation for a ransomware attack.
Impact
Suspending AWS S3 bucket versioning weakens data protection and recovery capabilities. It removes the ability to recover previous versions of objects, enabling threat actors to permanently delete or alter data. This can lead to data loss and compromised backup integrity.
Severity
| Severity | Condition |
|---|---|
Informational | AWS S3 bucket versioning suspended |
Low | AWS S3 bucket versioning suspended unexpectedly |
Investigation and Remediation
Review AWS CloudTrail logs to investigate the suspension of AWS S3 bucket versioning. Verify whether the action was authorized and performed by a legitimate user. If unauthorized, re-enable versioning, rotate any compromised credentials, and assess whether any data was altered or deleted during the suspension period.