sigmaDRL-1.1from SigmaHQ/sigma
AWS Bucket Deleted
Detects the deletion of S3 buckets in AWS CloudTrail logs. Monitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.
Quality
82
FP risk
—
Forks
0
Views
0
Rule sourcerules/cloud/aws/cloudtrail/aws_cloudtrail_bucket_deleted.yml
title: AWS Bucket Deleted
id: 39c9f26d-6e3b-4dbb-9c7a-4154b0281112
status: experimental
description: |
Detects the deletion of S3 buckets in AWS CloudTrail logs.
Monitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.
references:
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket.html
author: Ivan Saakov, Nasreddine Bencherchali
date: 2025-10-19
tags:
- attack.defense-evasion
logsource:
product: aws
service: cloudtrail
detection:
selection_event_name:
eventName: 'DeleteBucket'
selection_status_success:
errorCode: 'Success'
selection_status_null:
errorCode: null
condition: selection_event_name and 1 of selection_status_*
falsepositives:
- During maintenance operations or testing, authorized administrators may delete S3 buckets as part of routine data management or cleanup activities.
level: medium