Elastic Security Detection Rules

AWS Backup Recovery Point Deleted

Last updated a day ago on 2026-06-26
Created a day ago on 2026-06-26

About

Identifies deletion of an AWS Backup recovery point via DeleteRecoveryPoint. A recovery point is a stored backup of a protected resource (EBS, RDS, DynamoDB, EFS, S3, and others). Deleting recovery points removes the ability to restore the associated data and is a core anti-recovery technique used in ransomware and data-destruction attacks to ensure victims cannot recover without paying or rebuilding. Routine lifecycle expirations are performed by the AWS Backup service itself; deletion by a non-service principal is rare and should be reviewed.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS BackupUse Case: Threat DetectionTactic: ImpactLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Impact (TA0040)(external, opens in a new tab or window)

Inhibit System Recovery (T1490)(external, opens in a new tab or window)

False Positive Examples
Backup, platform, or infrastructure-as-code teams may delete recovery points during retention cleanup, migration, or decommissioning. Verify the principal in "aws.cloudtrail.user_identity.arn", the affected recovery point and vault in "aws.cloudtrail.request_parameters", and whether the deletion aligns with an approved change. Known administration roles can be excluded after validation.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "aws.cloudtrail"
    and event.provider: "backup.amazonaws.com"
    and event.action: "DeleteRecoveryPoint"
    and event.outcome: "success"
    and not aws.cloudtrail.user_identity.type: "AWSService"

Install detection rules in Elastic Security

Detect AWS Backup Recovery Point Deleted in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).