{
	"id": "bb3841aa-7dd5-463e-862d-e7b7d7551f2e",
	"created_at": "2026-04-06T00:17:52.443098Z",
	"updated_at": "2026-04-10T03:20:15.656583Z",
	"deleted_at": null,
	"sha1_hash": "af6d81456553c81e871e6c1ddda032182154498d",
	"title": "CloudTrail Logs Impairment Through S3 Lifecycle Rule",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39181,
	"plain_text": "CloudTrail Logs Impairment Through S3 Lifecycle Rule\r\nArchived: 2026-04-05 14:50:32 UTC\r\nPlatform: AWS\r\nMappings\r\nMITRE ATT\u0026CK\r\nDefense Evasion\r\nThreat Technique Catalog for AWS:\r\nImpair Defenses: Disable Cloud Logs (T1562.008)\r\nDescription\r\nSet a 1-day retention policy on the S3 bucket used by a CloudTrail Trail, using a S3 Lifecycle Rule.\r\nReferences: https://www.justice.gov/usao-sdny/press-release/file/1452706/download\r\nWarm-up:\r\nCreate a CloudTrail trail logging to a S3 bucket.\r\nDetonation:\r\nApply a S3 Lifecycle Rule automatically removing objects after 1 day.\r\nInstructions\r\nDetonate with Stratus Red Team\r\nstratus detonate aws.defense-evasion.cloudtrail-lifecycle-rule\r\nDetection\r\nIdentify when lifecycle rule with a short expiration is applied to an S3 bucket used for CloudTrail logging.\r\nThe CloudTrail event PutBucketLifecycle and its attribute\r\nrequestParameters.LifecycleConfiguration.Rule.Expiration.Days can be used.\r\nSource: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/\r\nhttps://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/"
	],
	"report_names": [
		"aws.defense-evasion.cloudtrail-lifecycle-rule"
	],
	"threat_actors": [],
	"ts_created_at": 1775434672,
	"ts_updated_at": 1775791215,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/af6d81456553c81e871e6c1ddda032182154498d.pdf",
		"text": "https://archive.orkl.eu/af6d81456553c81e871e6c1ddda032182154498d.txt",
		"img": "https://archive.orkl.eu/af6d81456553c81e871e6c1ddda032182154498d.jpg"
	}
}