administrators within an aws organization structure may legitimately suspend object versioning. ensure that this behavior is not part of a legitimate operation before taking action.

t1490
aws
elastic

Techniques

T1490

Sample rules

AWS S3 Object Versioning Suspended

source: elastic
technicques:
- T1490

Description

Identifies when object versioning is suspended for an Amazon S3 bucket. Object versioning allows for multiple versions of an object to exist in the same bucket. This allows for easy recovery of deleted or overwritten objects. When object versioning is suspended for a bucket, it could indicate an adversary’s attempt to inhibit system recovery following malicious activity. Additionally, when versioning is suspended, buckets can then be deleted.

Detection logic

any where event.dataset == "aws.cloudtrail" 
   and event.action == "PutBucketVersioning"
   and event.outcome == "success" 
   and stringContains(aws.cloudtrail.request_parameters, "Status=Suspended")