S3 Bucket Deleted
This alert occurs when Lacework detects the deletion of an S3 bucket in any AWS account.
Why this Alert is Important
Unauthorized S3 bucket deletion can cause loss of data or sensitive information. For example, if an attacker gets access to an AWS account with user privileges to delete an S3 bucket, this could compromise the availability of data.
Investigation
Ensure that only administrators have the ability to delete an S3 bucket. Validate if the S3 bucket was deleted by the authorized user. Check the user details for who deleted the S3 bucket. Search for anomalies such as logins from an unknown IP.
Resolution
Check for valid business justification for S3 bucket deletion.
Related Information
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/what-is-s3.html