Skip to content

PutBucketLifecycleConfiguration

AWS

PutBucketLifecycleConfiguration

service: AWS - S3
techniques:

Event

Sets lifecycle rules on an S3 bucket to automatically transition objects to cheaper storage tiers or expire them.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Destructive deletion of cloud resources can cause significant operational disruption, data loss, and extended recovery times.

Log Source

CloudTrail

Sample Event

Adversarial — defense impairment. Draco applies a 1-day expiration lifecycle rule to the CloudTrail log archive bucket (fantasticlogs-cloudtrail). After 24 hours, S3 begins permanently deleting old log objects — destroying the forensic record of his preceding actions. This is the canonical “CloudTrail logs impairment via S3 lifecycle” technique that bypasses CloudTrail’s own integrity controls (CloudTrail can’t undo what S3 deletes). T1485 + T1685 + T1685.002.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T21:42:08Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T23:25:09Z",
"eventSource": "s3.amazonaws.com",
"eventName": "PutBucketLifecycle",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "[aws-cli/2.15.30 Python/3.11.6 Linux/5.15.0-1052-aws exe/x86_64.ubuntu.22 prompt/off command/s3api.put-bucket-lifecycle-configuration]",
"requestParameters": {
"bucketName": "fantasticlogs-cloudtrail",
"Host": "fantasticlogs-cloudtrail.s3.amazonaws.com",
"lifecycle": [
""
],
"LifecycleConfiguration": {
"xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
"Rule": [
{
"ID": "expire-cloudtrail-logs",
"Status": "Enabled",
"Filter": {
"Prefix": ""
},
"Expiration": {
"Days": 1
}
}
]
}
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000101100000",
"eventID": "90000000-0000-4000-8000-000101100001",
"readOnly": false,
"resources": [
{
"accountId": "555123456789",
"type": "AWS::S3::Bucket",
"ARN": "arn:aws:s3:::fantasticlogs-cloudtrail"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "fantasticlogs-cloudtrail.s3.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Impact Defense Impairment

Techniques:
  • T1485 — Data Destruction — Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and r...
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...