Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within.
Cloud storage buckets often allow users to set lifecycle policies to automate the migration, archival, or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation: GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor has sufficient permissions to modify these policies, they may be able to delete all objects at once.
For example, in AWS environments, an adversary with the PutLifecycleConfiguration permission may use the PutBucketLifecycle API call to apply a lifecycle policy to an S3 bucket that deletes all objects in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition to destroying data for purposes of extortion and Financial Theft, adversaries may also perform this action on buckets storing cloud logs for Indicator Removal.(Citation: Datadog S3 Lifecycle CloudTrail Logs)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Destroy data | Destroy or corrupt stored data | related-to | T1485.001 | Data Destruction: Lifecycle-Triggered Deletion | |
| attribute.availability.variety.Destruction | Destruction | related-to | T1485.001 | Data Destruction: Lifecycle-Triggered Deletion | |
| attribute.availability.variety.Interruption | Interruption | related-to | T1485.001 | Data Destruction: Lifecycle-Triggered Deletion |