AWS Bucket Deleted

Original Source: [Sigma source]
Title: AWS Bucket Deleted
Status: experimental
Description:Detects the deletion of S3 buckets in AWS CloudTrail logs. Monitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.
References:
  -https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html
   -https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket.html
 Author: Ivan Saakov, Nasreddine Bencherchali
Date: 2025-10-19
modified:None
Tags:
  • -'attack.defense-evasion'
Logsource:
  • product: aws
  • service: cloudtrail
Detection:
  selection_event_name:
    eventName: 'DeleteBucket'
  selection_status_success:
    errorCode: 'Success'
  selection_status_null:
    errorCode: 'None'
  condition:selection_event_name and 1 of selection_status_*
Falsepositives:
  -During maintenance operations or testing, authorized administrators may delete S3 buckets as part of routine data management or cleanup activities.
Level: medium

© 2024 DetectionCode Website. All Rights Reserved.