|
Data Destruction: Lifecycle-Triggered Deletion
AWS Specific Sub-Technique
Other sub-techniques of Data Destruction (4)
| ID | Name |
|---|---|
| T1485.001 | Lifecycle-Triggered Deletion |
| T1485.A001 | RDS Instances and Backups |
| T1485.A003 | S3 Object and Bucket Deletion |
Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within.
Cloud storage buckets often allow users to set lifecycle policies to automate the migration, archival, or deletion of objects after a set period of time. If a threat actor has sufficient permissions to modify these policies, they may be able to circumvent any restrictions on the deletion of individual objects and delete all objects at once.
For example, in AWS environments, an adversary with the PutBucketLifecycleConfiguration permission may use the PutBucketLifecycle API call to apply a lifecycle policy to an S3 bucket that deletes all objects in the bucket after one day. In addition to destroying data for purposes of extortion and Financial Theft, adversaries may also perform this action on buckets storing cloud logs for Indicator Removal.
AWS Specific Content
A prerequisite for this technique is that a threat actor has already gained control of an AWS identity with the permissions to use the
s3:PutBucketLifecycleConfiguration APIs to delete objects and buckets within an AWS account through the use of lifecycle policies.Using this technique, a threat actor can change the lifecycle policy of an Amazon S3 bucket so that the target S3 bucket is subject to a lifecycle policy that deletes objects in the bucket after a minimum time period, typically one day. This enables threat actors to destroy data.within an AWS account, which is sometimes used as part of a ransomware campaign. This technique is related to Cloud Storage Discovery > S3 Objects and Buckets, as a threat actor will view information about buckets in the AWS account (
s3:ListBuckets) and view objects in the buckets (s3:ListObjects) prior to using lifecycle policies to delete the objects. Note that it is also possible to use other S3 actions such as the s3:DeleteObjects API to delete objects within an AWS account - the use of that and other associated APIs are described in the Data Destruction > S3 Objects and Buckets technique.Detection
AWS Specific Content
When this technique is used by the threat actor, actions taken by the threat actor using the credentials obtained will be logged in CloudTrail. You can use the Event History page in the AWS CloudTrail console to view the last 90 days of management events in an AWS Region for the events listed in the AWS CloudTrail Event Name(s) section, such as
s3:PutBucketLifecycleConfiguration..A separate CloudTrail trail will give you an ongoing record of events in your AWS account past 90 days and can be configured to log events in multiple regions. You can also review events using the console as well as the AWS CLI.
It is also possible to create a CloudWatch metric filter to watch for when specific AWS API calls are used and perform notification actions if logged, and additionally configure CloudWatch to automatically perform an action in response to an alarm.
| ID | Data Source | Data Component | Description |
|---|---|---|---|
| DS0010 | Cloud Storage | Cloud Storage Modification | Monitor for unexpected changes to cloud storage configurations and policies, especially unusually short retention periods. In AWS environments, monitor for PutBucketLifecycle events with a requestParameters.LifecycleConfiguration.Rule.Expiration.Days attribute below expected values. |
Mitigation
AWS Specific Content
Service Control Policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for the IAM users and IAM roles in your organization and can be used to restrict the use of lifecycle policies to delete objects within an AWS account. You can also make sure that principals are scoped with the least-privileged permissions necessary to perform duties, limiting the ability to configure bucket policies on buckets with critical data to when they are required. Example SCPs are available here (note - you should test SCPs in a development environment before deploying them in production).
A bucket policy is a resource-based policy that you can use to grant access permissions to your Amazon S3 bucket and the objects in it. The permissions attached to the bucket apply to the objects in the bucket that are owned by the bucket owner. To explicitly block users or accounts from deleting objects, you should deny the following actions within the bucket policy:
s3:DeleteObject, s3:DeleteObjectVersion, and s3:PutLifecycleConfiguration permissions.In the following bucket policy example, you explicitly deny DELETE Object permissions to roles except the role 'S3Administrator' for the bucket 'amzn-s3-demo-bucket1'. An explicit Deny statement supersedes other permission granted (note - you should test bucket policies in a development environment before deploying them in production).
{
"Version": "2012-10-17",
"Statement": {
"Sid": "RestrictIAMBySourceIp",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]
},
"BoolIfExists": {
"aws:ViaAWSService": "false"
},
"ArnLike": {
"aws:PrincipalArn": "arn:aws:iam::*:user/*"
}
}
}
}
More bucket policy examples are available here.
You can also use IAM Access Analyzer to regularly review and verify access and manage permissions across your AWS environment, which will highlight AWS identities with excessive permissions and the actions performed by those identities.
This technique is typically used by threat actors as part of a ransomware campaign. AWS has published several resources on how to protect against ransomware and mitigate some of the actions described by this technique.
| ID | Mitigation | Description |
|---|---|---|
| M1053 | Data Backup | Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. |
| M1018 | User Account Management | In cloud environments, limit permissions to modify cloud bucket lifecycle policies (e.g., PutLifecycleConfiguration in AWS) to only those accounts that require it. In AWS environments, consider using Service Control policies to limit the use of the PutBucketLifecycle API call. |