AWS Configuration Recorder Stopped

Last updated 13 days ago on 2025-12-12

Created 6 years ago on 2020-06-16

About

Identifies when an AWS Config configuration recorder is stopped. AWS Config recorders continuously track and record configuration changes across supported AWS resources. Stopping the recorder immediately reduces visibility into infrastructure changes and can be abused by adversaries to evade detection, obscure follow-on activity, or weaken compliance and security monitoring controls.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS ConfigTactic: Defense EvasionLanguage: kuery

Severity

high

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

↳ Impair Defenses (T1562)(external, opens in a new tab or window)

False Positive Examples

Authorized administrators may temporarily stop the AWS Config recorder during planned maintenance, account restructuring, or controlled configuration changes. Automated infrastructure or compliance tooling may also stop and restart the recorder as part of setup or teardown workflows. Activity outside of documented change windows or from unexpected identities should be investigated.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-aws.cloudtrail-*
Related Integrations: aws(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.dataset: aws.cloudtrail 
    and event.provider: config.amazonaws.com 
    and event.action: StopConfigurationRecorder 
    and event.outcome: success

Install detection rules in Elastic Security

Detect AWS Configuration Recorder Stopped in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).