AWS S3 bucket configured with short retention period in a suspicious way
Description
AlphaSOC detected that an AWS S3 bucket has been configured with an unusually short retention period. This configuration uses S3 lifecycle policies to automatically delete objects after a specified time frame. Threat actors may exploit this capability to destroy evidence of their activities or to cause data loss by ensuring objects are automatically removed before they can be backed up or analyzed.
Impact
A shortened retention period on AWS S3 buckets can result in permanent data loss and compromise forensic investigation capabilities. This configuration may prevent security teams from accessing historical data needed for incident response, compliance audits, or breach investigations. Critical business data could be permanently lost if retention periods are reduced below organizational requirements.
Severity
| Severity | Condition |
|---|---|
Informational | AWS S3 bucket configured with short retention period |
Low | AWS S3 bucket unexpectedly configured with short retention period |
Medium | AWS S3 bucket configured with short retention period in a suspicious way |
Investigation and Remediation
Immediately review the AWS S3 bucket lifecycle policies and retention settings to verify if the changes were authorized. If unauthorized, restore the retention period to organizational standards and consider implementing preventive controls such as S3 Object Lock or bucket policies that restrict lifecycle modifications. Enable versioning and MFA delete on critical buckets to maintain data integrity even if retention policies are altered.