From 6311cfccb48f79d25b485ccb28bfc13d1757fefc Mon Sep 17 00:00:00 2001 From: bryans3c Date: Fri, 19 Jun 2026 09:51:09 +0200 Subject: [PATCH 1/6] [New Rule] AWS Backup Vault Access Policy Modified or Deleted --- ...n_backup_vault_access_policy_modified.toml | 116 ++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified.toml diff --git a/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified.toml b/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified.toml new file mode 100644 index 00000000000..0490b03426e --- /dev/null +++ b/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified.toml @@ -0,0 +1,116 @@ +[metadata] +creation_date = "2026/06/19" +integration = ["aws"] +maturity = "production" +updated_date = "2026/06/19" + +[rule] +author = ["Elastic"] +description = """ +Identifies modification or removal of an AWS Backup vault access policy via PutBackupVaultAccessPolicy or +DeleteBackupVaultAccessPolicy. The vault access policy is a resource-based policy that controls which principals, +including external accounts, can act on the vault and its recovery points. Adversaries may add or broaden principals to +gain cross-account access to backups (data theft), or weaken or delete the policy to remove protections such as +deny-delete guardrails. These changes are infrequent and should align with approved access design. +""" +false_positives = [ + """ + Security and platform teams legitimately set vault access policies for cross-account backup and disaster-recovery + designs, often via infrastructure-as-code. Review the policy document in "aws.cloudtrail.request_parameters" for new + or external principals, and confirm recipients are approved. Known automation roles can be excluded after + validation. + """, +] +from = "now-6m" +index = ["logs-aws.cloudtrail-*"] +language = "kuery" +license = "Elastic License v2" +name = "AWS Backup Vault Access Policy Modified or Deleted" +note = """## Triage and analysis + +### Investigating AWS Backup Vault Access Policy Modified or Deleted + +The backup vault access policy is a resource-based policy governing who can access the vault and its recovery points. "PutBackupVaultAccessPolicy" replaces the policy and "DeleteBackupVaultAccessPolicy" removes it. Unexpected changes can grant external accounts access to backups (enabling copy/exfiltration of protected data) or strip deny-delete and other guardrails, weakening protection ahead of destruction. + +### Possible investigation steps + +- Identify the actor in "aws.cloudtrail.user_identity.arn" and "aws.cloudtrail.user_identity.type", and review "source.ip" and "user_agent.original" for an unexpected origin. +- Inspect the policy document in "aws.cloudtrail.request_parameters" for new "Principal" entries, external account IDs, or removal of restrictive statements. +- Determine which vault and recovery points are affected and whether cross-account copy or restore activity followed. +- Correlate with adjacent backup activity by the same principal (StartCopyJob, DeleteRecoveryPoint, Vault Lock changes). + +### False positive analysis + +- Cross-account backup/DR designs legitimately set vault policies, often via IaC. Confirm recipients are approved and exclude known automation roles on "aws.cloudtrail.user_identity.arn" after validation. + +### Response and remediation + +- If unauthorized, restore a known-good vault access policy, remove rogue or external principals, and review for any cross-account copy or restore of recovery points. +- Rotate or restrict credentials for the principal if compromise is suspected, and restrict "backup:PutBackupVaultAccessPolicy" and "backup:DeleteBackupVaultAccessPolicy" to trusted administrators. + +### Additional information + +- [Backup vault access policies](https://docs.aws.amazon.com/aws-backup/latest/devguide/create-a-vault-access-policy.html) +- [PutBackupVaultAccessPolicy API](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_PutBackupVaultAccessPolicy.html) +""" +references = [ + "https://docs.aws.amazon.com/aws-backup/latest/devguide/create-a-vault-access-policy.html", + "https://docs.aws.amazon.com/aws-backup/latest/devguide/API_PutBackupVaultAccessPolicy.html", +] +risk_score = 47 +rule_id = "0e5af193-c983-4d08-8d85-cff6f46454cc" +setup = """The AWS Fluentd or AWS Beats integration, CloudTrail logging, and a configured CloudTrail trail are required for this rule. See the AWS integration documentation: https://docs.elastic.co/integrations/aws/cloudtrail""" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS Backup", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +data_stream.dataset: "aws.cloudtrail" + and event.provider: "backup.amazonaws.com" + and event.action: ("PutBackupVaultAccessPolicy" or "DeleteBackupVaultAccessPolicy") + and event.outcome: "success" + and not aws.cloudtrail.user_identity.type: "AWSService" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "source.as.number", + "source.as.organization.name", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", +] + From 24b65080a09ebd3289eb672c8ed897cfd97ef217 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Fri, 19 Jun 2026 15:15:15 +0200 Subject: [PATCH 2/6] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../aws/defense_evasion_backup_vault_access_policy_modified.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified.toml b/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified.toml index 0490b03426e..a75355601dc 100644 --- a/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified.toml +++ b/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified.toml @@ -56,6 +56,7 @@ The backup vault access policy is a resource-based policy governing who can acce references = [ "https://docs.aws.amazon.com/aws-backup/latest/devguide/create-a-vault-access-policy.html", "https://docs.aws.amazon.com/aws-backup/latest/devguide/API_PutBackupVaultAccessPolicy.html", + "https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupVaultAccessPolicy.html", ] risk_score = 47 rule_id = "0e5af193-c983-4d08-8d85-cff6f46454cc" From cfb9b4368cbc5827bdff97fac5d2841a952fb371 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Fri, 19 Jun 2026 15:15:24 +0200 Subject: [PATCH 3/6] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../aws/defense_evasion_backup_vault_access_policy_modified.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified.toml b/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified.toml index a75355601dc..fb7420cdd7b 100644 --- a/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified.toml +++ b/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified.toml @@ -66,6 +66,7 @@ tags = [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", + "Data Source: AWS CloudTrail", "Data Source: AWS Backup", "Use Case: Threat Detection", "Tactic: Defense Evasion", From 973669ee4ba72cc525363ad736a6fd2734cd11a9 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Fri, 19 Jun 2026 15:16:05 +0200 Subject: [PATCH 4/6] Rename defense_evasion_backup_vault_access_policy_modified.toml to defense_evasion_backup_vault_access_policy_modified_or_deleted.toml --- ...e_evasion_backup_vault_access_policy_modified_or_deleted.toml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/integrations/aws/{defense_evasion_backup_vault_access_policy_modified.toml => defense_evasion_backup_vault_access_policy_modified_or_deleted.toml} (100%) diff --git a/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified.toml b/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified_or_deleted.toml similarity index 100% rename from rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified.toml rename to rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified_or_deleted.toml From 930316ee8d6b9386b3ab6bcb58bc057056d7b505 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Mon, 22 Jun 2026 09:59:55 +0200 Subject: [PATCH 5/6] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- ..._evasion_backup_vault_access_policy_modified_or_deleted.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified_or_deleted.toml index fb7420cdd7b..b47f19ebc75 100644 --- a/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified_or_deleted.toml +++ b/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified_or_deleted.toml @@ -60,7 +60,7 @@ references = [ ] risk_score = 47 rule_id = "0e5af193-c983-4d08-8d85-cff6f46454cc" -setup = """The AWS Fluentd or AWS Beats integration, CloudTrail logging, and a configured CloudTrail trail are required for this rule. See the AWS integration documentation: https://docs.elastic.co/integrations/aws/cloudtrail""" +setup = """The AWS integration (Elastic Agent), CloudTrail logging, and a configured CloudTrail trail are required for this rule. See the AWS integration documentation: https://docs.elastic.co/integrations/aws/cloudtrail""" severity = "medium" tags = [ "Domain: Cloud", From 63a0d21c603518db26f6eb9119762b125376008a Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Mon, 22 Jun 2026 16:54:57 +0200 Subject: [PATCH 6/6] Update defense_evasion_backup_vault_access_policy_modified_or_deleted.toml --- ..._evasion_backup_vault_access_policy_modified_or_deleted.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified_or_deleted.toml index b47f19ebc75..d0476103208 100644 --- a/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified_or_deleted.toml +++ b/rules/integrations/aws/defense_evasion_backup_vault_access_policy_modified_or_deleted.toml @@ -60,7 +60,7 @@ references = [ ] risk_score = 47 rule_id = "0e5af193-c983-4d08-8d85-cff6f46454cc" -setup = """The AWS integration (Elastic Agent), CloudTrail logging, and a configured CloudTrail trail are required for this rule. See the AWS integration documentation: https://docs.elastic.co/integrations/aws/cloudtrail""" +setup = """This rule requires AWS CloudTrail management events for AWS Backup and ingestion via the Elastic AWS CloudTrail integration. See https://docs.elastic.co/integrations/aws/cloudtrail.""" severity = "medium" tags = [ "Domain: Cloud",