AWS Config Resource Deletion

Last updated a year ago on 2024-05-21

Created 5 years ago on 2020-06-26

About

Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesTactic: Defense EvasionLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Impair Defenses (T1562)(opens in a new tab or window)

False Positive Examples

Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-aws.cloudtrail-*
Related Integrations: aws(opens in a new tab or window)
Query

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and
    event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or
    DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or
    DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)

Install detection rules in Elastic Security

Detect AWS Config Resource Deletion in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).