Elastic Security Detection Rules

AWS Config Resource Deletion

Last updated 13 days ago on 2025-12-12
Created 5 years ago on 2020-06-26

About

Identifies attempts to delete AWS Config resources. AWS Config provides continuous visibility into resource configuration changes and compliance posture across an account. Deleting Config components can significantly reduce security visibility and auditability. Adversaries may delete or disable Config resources to evade detection, hide prior activity, or weaken governance controls before or after other malicious actions.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS ConfigTactic: Defense EvasionLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

Impair Defenses (T1562)(external, opens in a new tab or window)

False Positive Examples
Deletion of AWS Config resources may occur during legitimate account restructuring, environment teardown, or changes to compliance tooling. Centralized security teams or approved automation may also delete and recreate Config components as part of controlled workflows. Confirm that the action aligns with approved change management and was performed by an expected principal.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
event.dataset: aws.cloudtrail 
    and event.provider: config.amazonaws.com 
    and event.outcome: success
    and event.action: (DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or
    DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or
    DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)
    and not aws.cloudtrail.user_identity.invoked_by: (securityhub.amazonaws.com or fms.amazonaws.com or controltower.amazonaws.com or config-conforms.amazonaws.com)

Install detection rules in Elastic Security

Detect AWS Config Resource Deletion in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).