bucket logging may be disabled by a system or network administrator. verify whether the user identity and/or user agent should be making changes in your environment. bucket component deletions by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1562
aws
elastic

Techniques

T1562

Sample rules

AWS S3 Bucket Server Access Logging Disabled

source: elastic
technicques:
- T1562

Description

Identifies when server access logging is disabled for an Amazon S3 bucket. Server access logs provide a detailed record of requests made to an S3 bucket. When server access logging is disabled for a bucket, it could indicate an adversary’s attempt to impair defenses by disabling logs that contain evidence of malicious activity.

Detection logic

any where event.dataset == "aws.cloudtrail" 
   and event.action == "PutBucketLogging" 
   and event.outcome == "success" 
   and not stringContains(aws.cloudtrail.request_parameters, "LoggingEnabled")