Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within.
Cloud storage buckets often allow users to set lifecycle policies to automate the migration, archival, or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation: GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor has sufficient permissions to modify these policies, they may be able to delete all objects at once.
For example, in AWS environments, an adversary with the PutLifecycleConfiguration permission may use the PutBucketLifecycle API call to apply a lifecycle policy to an S3 bucket that deletes all objects in the bucket after one day.(Citation: Palo Alto Cloud Ransomware)(Citation: Halcyon AWS Ransomware 2025) In addition to destroying data for purposes of extortion and Financial Theft, adversaries may also perform this action on buckets storing cloud logs for Indicator Removal.(Citation: Datadog S3 Lifecycle CloudTrail Logs)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1485.001 | Lifecycle-Triggered Deletion |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| BCR-08 | Backup | mitigates | T1485.001 | Lifecycle-Triggered Deletion |
Comments
Adversaries may destroy, overwrite, or delete data and files in cloud storage buckets. Periodically backing up data stored in the cloud; ensuring backup confidentiality, integrity, and availability; and verifying data restoration from backup provides data protection and allows for quick recovery from data destruction attacks.
References
|
| IAM-05 | Least Privilege | mitigates | T1485.001 | Lifecycle-Triggered Deletion |
Comments
This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data.
For this technique, in terms of mitigation, limit permissions to modify cloud bucket lifecycle policies (e.g., PutLifecycleConfiguration in AWS) to only those accounts that require it. In AWS environments, consider using Service Control policies to limit the use of the PutBucketLifecycle API call.
References
|
| DSP-16 | Data Retention and Deletion | mitigates | T1485.001 | Lifecycle-Triggered Deletion |
Comments
This control describes the shared responsibility of both the CSP and CSC for securely managing data retention, archiving, and deletion across all cloud service models. Implementation involves establishing secure tools and processes for data retention, configuring backups, enforcing retention policies, and maintaining safeguards within each party’s environment. For this technique, adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. Cloud storage buckets often allow users to set lifecycle policies to automate the migration, archival, or deletion of objects after a set period of time
In terms of mitigation, consider limiting permissions to lessen the impact of this technique by modifying cloud bucket lifecycle policies (e.g., PutLifecycleConfiguration in AWS) to only those accounts that require it. In AWS environments, consider using Service Control policies to limit the use of the PutBucketLifecycle API call.
References
|
| DCS-18 | Datacenter Operations Resilience | mitigates | T1485.001 | Lifecycle-Triggered Deletion |
Comments
Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. Cloud storage buckets often allow users to set lifecycle policies to automate the migration, archival, or deletion of objects after a set period of time If a threat actor has sufficient permissions to modify these policies, they may be able to delete all objects at once.
This control establishes and regularly evaluates processes, procedures, and technical measures to ensure continuous operations of the datacenter, mitigating attacker techniques such as denial‑of‑service and other availability‑impacting attacks that seek to disrupt business and operational continuity.
References
|