Skip to main content

S3 Bucket Deleted

This alert occurs when Lacework detects the deletion of an S3 bucket in any AWS account.

Why this Alert is Important

Unauthorized S3 bucket deletion can cause loss of data or sensitive information. For example, if an attacker gets access to an AWS account with user privileges to delete an S3 bucket, this could compromise the availability of data.

Investigation

Ensure that only administrators have the ability to delete an S3 bucket. Validate if the S3 bucket was deleted by the authorized user. Check the user details for who deleted the S3 bucket. Search for anomalies such as logins from an unknown IP.

Resolution

Check for valid business justification for S3 bucket deletion.

https://docs.aws.amazon.com/AmazonS3/latest/user-guide/what-is-s3.html