Use of AWS APIs indicating S3 delete operations
Description
AlphaSOC detected anomalous use of AWS APIs indicating S3 deletion operations. This includes actions such as DeleteObject
, DeleteBucket
, and others. These actions can indicate data deletion attempts by threat actors.
Impact
Threat actors can use these actions to remove valuable data, which may be especially dangerous, if there is no backup or version control in place.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Investigate the detected S3 delete operation by reviewing AWS CloudTrail logs to identify the user, source IP, and specific actions performed. Verify if the operations were authorized and part of normal business processes. If unauthorized activity is confirmed, revoke the relevant IAM credentials, restore deleted data from backups if possible, and conduct a thorough security assessment of the affected S3 buckets and associated AWS accounts.
Known False Positives
- Authorized users deleting files