Unexpected AWS API calls indicating S3 bucket encryption reset to default
Description
AlphaSOC detected the removal of an AWS S3 bucket's encryption configuration
using the DeleteBucketEncryption API call. This action resets the bucket's
encryption settings to the default state, which typically means reverting to
AWS-managed encryption instead of customer-managed KMS keys. While S3 bucket
encryption configurations can be legitimately modified for operational reasons,
removing encryption settings is unusual and may indicate an attempt to weaken
data protection controls. Threat actors may disable bucket encryption to
facilitate data exfiltration, prepare unencrypted data storage for easier
access, or evade KMS-based monitoring and alerting mechanisms that track
encrypted data access patterns.
Impact
Removing S3 bucket encryption settings eliminates critical data protection controls and exposes stored data to potential unauthorized access. Without encryption, data at rest becomes vulnerable if the bucket is compromised or misconfigured with public access. Threat actors can exploit this weakened security posture to exfiltrate sensitive information without triggering KMS decryption events that would otherwise alert security teams. Organizations may face compliance violations as many regulatory frameworks require encryption of sensitive data at rest, leading to potential fines and legal consequences. The lack of encryption also removes an important defense-in-depth layer, making it easier for adversaries to access data if they obtain bucket permissions through compromised credentials or misconfigurations.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to identify the IAM principal that executed the
DeleteBucketEncryption API call, including the source IP address, user agent,
and timing of the activity. Determine the specific S3 bucket affected and assess
whether it contains sensitive data that requires encryption. Verify whether the
activity was authorized through proper change management procedures or if it
represents unauthorized modification. Check if the IAM user or role has
legitimate business needs for modifying bucket encryption settings and whether
the activity aligns with known operational workflows. If unauthorized access is
confirmed, immediately re-enable bucket encryption using
aws s3api put-bucket-encryption with appropriate KMS key configuration. Revoke
the compromised credentials and investigate any data access that occurred after
encryption was removed. Review bucket access logs to identify potential data
exfiltration attempts. Audit IAM policies to ensure they follow least-privilege
principles, restricting s3:PutEncryptionConfiguration and
s3:DeleteBucketEncryption permissions to only authorized administrators.
Implement AWS Config rules to monitor and alert on encryption configuration
changes. Consider using S3 bucket policies to enforce encryption and prevent
unencrypted uploads using the s3:x-amz-server-side-encryption condition key.
Known False Positives
- Authorized administrators modifying bucket encryption as part of planned migrations or configuration changes
- Infrastructure-as-code deployments that temporarily remove and recreate encryption configurations
- Compliance or security teams testing encryption controls during audits