bucket components may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. bucket component deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1070
aws
elastic

Techniques

T1070

Sample rules

AWS S3 Bucket Configuration Deletion

source: elastic
technicques:
- T1070

Description

Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.

Detection logic

event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and
  event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or
                DeleteBucketEncryption or DeleteBucketLifecycle)
  and event.outcome:success