AWS Cloud Trail Aws Defense Evasion Putbucketlifecycle
Query
let threshold_days = 7;
let _ExpectedEventNames = dynamic(["PutBucketLifecycle"]);
let _ExpectedRoleIdentityRegex = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "AWSAssumedRoleIdentityEventName_Regex" and Auxiliar has_any (_ExpectedEventNames)
| summarize RegEx = make_set(strcat(SourceResource, ActorPrincipalName))
| extend RegEx = strcat(@"^(", strcat_array(RegEx, "|"), @")$")
);
AWSCloudTrail
| where EventName == "PutBucketLifecycle"
| extend UserIdentityUserName = tostring(split(UserIdentityPrincipalid, ":")[1])
| where not(EventName in (_ExpectedEventNames) and strcat(SessionIssuerUserName, UserIdentityUserName) matches regex _ExpectedRoleIdentityRegex)
| extend RequestParameters = todynamic(RequestParameters)
| mv-expand Rule = iff(isempty(array_length(RequestParameters["LifecycleConfiguration"]["Rule"])), pack_array(RequestParameters["LifecycleConfiguration"]["Rule"]), RequestParameters["LifecycleConfiguration"]["Rule"])
| extend ExpirationDays = toint(Rule["Expiration"]["Days"])
| where ExpirationDays < threshold_days
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
AWSRegion,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
ExpirationDays,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventIdExplanation
This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify specific events related to bucket lifecycle configurations that may not meet expected security practices. Here's a simplified breakdown of what the query does:
-
Set a Threshold: It defines a threshold of 7 days for expiration settings in bucket lifecycle rules.
-
Expected Events and Roles: It identifies expected event names (
PutBucketLifecycle) and retrieves a list of expected role identities from a watchlist. This list is used to create a regular expression pattern to match against. -
Filter CloudTrail Logs: The query filters AWS CloudTrail logs to find events where the
EventNameisPutBucketLifecycle. -
Extract User Information: It extracts the username from the
UserIdentityPrincipalid. -
Exclude Expected Roles: It excludes events that match the expected role identities using the regular expression pattern created earlier.
-
Parse Request Parameters: It converts the
RequestParametersfield into a dynamic object and expands theRulearray to analyze each rule individually. -
Check Expiration Days: It checks if the
ExpirationDaysin the lifecycle rule is less than the defined threshold of 7 days. -
Invoke Additional Function: It calls an additional function
AWSIdentityRole()to enrich the data with identity role information. -
Select Relevant Fields: Finally, it projects (selects) a set of relevant fields to display in the results, including details about the event, user identity, and request parameters.
In summary, this query is used to detect potentially insecure bucket lifecycle configurations in AWS by identifying lifecycle rules with expiration settings shorter than 7 days, while excluding events from expected roles.
Details

Jose Sebastián Canós
Released: March 11, 2024
Tables
Keywords
Operators