Detection rules › Panther
AWS S3 Bucket MFA Delete
Ensures that MFA delete is enabled for a bucket so that all objects can only be deleted by users authenticated with MFA.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1485 Data Destruction |
Rule body yaml
AnalysisType: policy
Filename: aws_s3_bucket_mfa_delete.py
PolicyID: "AWS.S3.Bucket.MFADelete"
DisplayName: "AWS S3 Bucket MFA Delete"
Enabled: true
ResourceTypes:
- AWS.S3.Bucket
Tags:
- AWS
- Data Protection
- Impact:Data Destruction
Reports:
MITRE ATT&CK:
- TA0040:T1485
Severity: Low
Description: >
Ensures that MFA delete is enabled for a bucket so that all objects can only be deleted by users authenticated with MFA.
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-s3-bucket-has-mfa-delete-enabled
Reference: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html
Tests:
- Name: Bucket MFA Delete Never Set
ExpectedResult: false
Resource:
{
"CreationDate": "2019-01-01T00:00:00Z",
"EncryptionRules":
[
{
"ApplyServerSideEncryptionByDefault":
{ "KMSMasterKeyID": null, "SSEAlgorithm": "AES256" },
},
],
"Grants": null,
"LifecycleRules": null,
"Location": "us-east-2",
"LoggingPolicy": null,
"MFADelete": null,
"Name": "bucket-name",
"Owner":
{
"DisplayName": "user.name",
"ID": "11112223334445556667778899aaabbbcccdddeeee",
},
"Policy": '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":["s3:ListBucket","s3:PutObject"],"Resource":["arn:aws:s3:::test-bucket/*","arn:aws:s3:::test-bucket"]}]}',
"PublicAccessBlockConfiguration":
{
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"RestrictPublicBuckets": false,
},
"Versioning": null,
}
- Name: Bucket Has MFA Delete Enabled
ExpectedResult: true
Resource:
{
"CreationDate": "2019-01-01T00:00:00Z",
"EncryptionRules":
[
{
"ApplyServerSideEncryptionByDefault":
{ "KMSMasterKeyID": null, "SSEAlgorithm": "AES256" },
},
],
"Grants": null,
"LifecycleRules": null,
"Location": "us-east-2",
"LoggingPolicy": null,
"MFADelete": "Enabled",
"Name": "bucket-name",
"Owner":
{
"DisplayName": "user.name",
"ID": "11112223334445556667778899aaabbbcccdddeeee",
},
"Policy": '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":["s3:ListBucket","s3:PutObject"],"Resource":["arn:aws:s3:::test-bucket/*","arn:aws:s3:::test-bucket"]}]}',
"PublicAccessBlockConfiguration":
{
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"RestrictPublicBuckets": false,
},
"Versioning": null,
}
- Name: Bucket Does Not MFA Delete Enabled
ExpectedResult: false
Resource:
{
"CreationDate": "2019-01-01T00:00:00Z",
"EncryptionRules":
[
{
"ApplyServerSideEncryptionByDefault":
{ "KMSMasterKeyID": null, "SSEAlgorithm": "AES256" },
},
],
"Grants": null,
"LifecycleRules": null,
"Location": "us-east-2",
"LoggingPolicy": null,
"MFADelete": "Disabled",
"Name": "bucket-name",
"Owner":
{
"DisplayName": "user.name",
"ID": "11112223334445556667778899aaabbbcccdddeeee",
},
"Policy": '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":["s3:ListBucket","s3:PutObject"],"Resource":["arn:aws:s3:::test-bucket/*","arn:aws:s3:::test-bucket"]}]}',
"PublicAccessBlockConfiguration":
{
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"RestrictPublicBuckets": false,
},
"Versioning": null,
}
Detection logic
Condition
MFADelete not eq "Enabled"
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
MFADelete | eq | Enabled |