Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

unfortunately S3 bucket deleted

-2

My S3 bucket data was deleted without my knowledge.

I checked CloudTrail logs and found delete actions from an unknown IP address (US region). I did not intentionally share my access keys or credentials.

Steps I already took:

  • Disabled access keys
  • Enabled MFA
  • Reviewed IAM users

I need help with:

  1. How to trace who performed this action
  2. Is it possible to recover deleted S3 data?
  3. How to prevent this in future?

Any guidance would be helpful.

Topics
Management & GovernanceAWS MarketplaceStorageSecurity, Identity, & Compliance
Tags
Amazon CloudWatch LogsCloudEndure Disaster RecoveryAWS Security Incident ResponseAWS CloudFormation Detect Root CauseAWS CloudTrail
Language
English
asked a month ago70 views
1 Answer
-2

How to trace who performed this action

Use CloudTrail and check the delete event details: (userIdentity, sourceIPAddress eventTime etc.) this works if you have enabled CloudTrail events

Is it possible to recover deleted S3 data?

Only if Versioning was enabled before the deletion.

How to prevent this in future?

Enable S3 Versioning, enable CloudTrail data events for important buckets, use MFA if possible

EXPERT
answered a month ago
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content