Data Destruction: Lifecycle-Triggered Deletion

Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within.

Cloud storage buckets often allow users to set lifecycle policies to automate the migration, archival, or deletion of objects after a set period of time.[1][2][3] If a threat actor has sufficient permissions to modify these policies, they may be able to delete all objects at once.

For example, in AWS environments, an adversary with the PutLifecycleConfiguration permission may use the PutBucketLifecycle API call to apply a lifecycle policy to an S3 bucket that deletes all objects in the bucket after one day.[4] In addition to destroying data for purposes of extortion and Financial Theft, adversaries may also perform this action on buckets storing cloud logs for Indicator Removal.[5]

ID: T1485.001
Sub-technique of:  T1485
Tactic: Impact
Platforms: IaaS
Impact Type: Availability
Version: 1.0
Created: 25 September 2024
Last Modified: 16 October 2024

Mitigations

ID Mitigation Description
M1053 Data Backup

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.[6] Ensure backups are stored off system and protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

M1018 User Account Management

In cloud environments, limit permissions to modify cloud bucket lifecycle policies (e.g., PutLifecycleConfiguration in AWS) to only those accounts that require it. In AWS environments, consider using Service Control policies to limit the use of the PutBucketLifecycle API call.

Detection

ID Data Source Data Component Detects
DS0010 Cloud Storage Cloud Storage Modification

Monitor for unexpected use of lifecycle policies. Where lifecycle policies are already in use, monitor for changes to cloud storage configurations and policies, such as buckets configured in the policy or unusually short retention periods. In AWS environments, monitor for PutBucketLifecycle events with a requestParameters.LifecycleConfiguration.Rule.Expiration.Days attribute below expected values.[5]

References