CloudTrail Logs Impairment Through S3 Lifecycle Rule
MITRE ATT&CK Tactics
- Defense Evasion
Set a 1-day retention policy on the S3 bucket used by a CloudTrail Trail, using a S3 Lifecycle Rule.
- Create a CloudTrail trail logging to a S3 bucket.
- Apply a S3 Lifecycle Rule automatically removing objects after 1 day.
Identify when lifecycle rule with a short expiration is applied to an S3 bucket used for CloudTrail logging.
The CloudTrail event
PutBucketLifecycle and its attribute
requestParameters.LifecycleConfiguration.Rule.Expiration.Days can be used.