Skip to main content

Suspicious use of AWS APIs indicating S3 delete operations

ID:aws_s3_delete_suspicious
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0040:T1485

Description

AlphaSOC detected anomalous use of AWS APIs indicating S3 deletion operations. This includes actions such as DeleteObject, DeleteBucket, and others. These actions can indicate data deletion attempts by threat actors.

Impact

Threat actors can use these actions to remove valuable data, which may be especially dangerous, if there is no backup or version control in place.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Investigate the detected S3 delete operation by reviewing AWS CloudTrail logs to identify the user, source IP, and specific actions performed. Verify if the operations were authorized and part of normal business processes. If unauthorized activity is confirmed, revoke the relevant IAM credentials, restore deleted data from backups if possible, and conduct a thorough security assessment of the affected S3 buckets and associated AWS accounts.

Known False Positives

  • Authorized users deleting files

Further Reading