AWS CloudWatch Alarm Deletion

  1[metadata]
  2creation_date = "2020/06/15"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/11/13"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the deletion of one or more Amazon CloudWatch alarms using the "DeleteAlarms" API. CloudWatch alarms are
 11critical for monitoring metrics and triggering alerts when thresholds are exceeded. An adversary may delete alarms to
 12impair visibility, silence alerts, and evade detection following malicious activity. This behavior may occur during
 13post-exploitation or cleanup phases to remove traces of compromise or disable automated responses.
 14"""
 15false_positives = [
 16    """
 17    CloudWatch alarm deletions can occur legitimately during scheduled maintenance, infrastructure redeployments, or
 18    automation workflows that clean up temporary monitoring configurations. Verify that the user identity, role, and IP
 19    address are expected for the environment. If deletions are performed by CI/CD pipelines or authorized administrators
 20    during controlled operations, consider adding exceptions based on specific IAM roles, automation accounts, or IP
 21    address ranges.
 22    """,
 23]
 24from = "now-6m"
 25index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS CloudWatch Alarm Deletion"
 29note = """## Triage and analysis
 30
 31> **Disclaimer**:
 32> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. 
 33> While every effort has been made to ensure its quality, validate and adapt it to your operational context.
 34
 35### Investigating AWS CloudWatch Alarm Deletion
 36
 37Amazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.
 38
 39Amazon CloudWatch Alarms monitor key metrics and trigger automated alerts or remediation workflows. Deleting these alarms disables monitoring of associated metrics and can delay detection of performance degradation or security incidents. Attackers may delete alarms to evade detection, suppress alerts, or disable security automation that responds to anomalies or policy violations.
 40
 41This rule detects successful calls to the `DeleteAlarms` API via CloudTrail. These events should be rare and always associated with a valid change-control request or automation pipeline.
 42
 43#### Possible investigation steps
 44
 45- **Identify the actor**
 46  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine who initiated the deletion.
 47  - Check whether this actor typically performs CloudWatch management or automation tasks.
 48
 49- **Review request details**
 50  - Inspect `aws.cloudtrail.request_parameters` or `target.entity.id` for the specific alarm names deleted. 
 51  - Determine whether the alarms were security-related (e.g., CloudTrail log delivery, GuardDuty finding rate, or IAM API monitoring alarms).
 52  - Cross-reference deleted alarms with your organization's list of critical monitoring configurations.
 53
 54- **Analyze source and context**
 55  - Review `source.ip` and `user_agent.original` for anomalies such as external IPs, unusual user agents, or custom SDKs.
 56  - Determine whether the activity occurred during a known maintenance window or from a trusted automation host.
 57  - Examine `cloud.region` to identify whether alarms were deleted from unexpected regions.
 58
 59- **Correlate with surrounding events**
 60  - Review CloudTrail events for related activity around the same time, such as:
 61    - `PutMetricAlarm`, `DisableAlarmActions`, or `DeleteLogGroup`
 62    - Changes to CloudTrail, Config, or GuardDuty configurations
 63    - IAM policy or permission modifications that could facilitate evasion
 64  - Identify whether the same actor has previously modified logging or monitoring infrastructure.
 65
 66- **Assess impact and scope**
 67  - Determine which systems or detection workflows relied on the deleted alarms.
 68  - Review whether the deletion affected automated responses, notifications, or third-party integrations (e.g., SNS, Lambda, or PagerDuty).
 69
 70### False positive analysis
 71
 72- **Legitimate automation or redeployment**
 73  - Infrastructure as Code (IaC) frameworks such as Terraform or CloudFormation may delete and recreate alarms during updates.
 74  - Validate automation account roles and ensure alarm deletions are immediately followed by re-creation actions.
 75- **Operational maintenance**
 76  - Scheduled monitoring cleanup, regional deactivation, or test environment resets can trigger legitimate deletions. 
 77  - Verify timing and user identity against approved change management records.
 78- **Organizational migrations**
 79  - Security operations or DevOps teams may consolidate alarms during account merges or refactors. 
 80  - Confirm intent with relevant teams and exclude authorized administrative accounts as necessary.
 81
 82### Response and remediation
 83
 84- **Containment**
 85  - If the deletion was unauthorized, recreate the deleted alarms immediately using IaC templates or CloudFormation backups.
 86  - Re-enable any dependent automation or alerts that rely on those alarms.
 87  - Temporarily restrict CloudWatch modification privileges to designated IAM roles.
 88
 89- **Investigation**
 90  - Review related CloudTrail logs for preceding IAM changes, STS activity, or anomalous role assumptions that might indicate compromised credentials.
 91  - Investigate whether any alerts were suppressed or delayed prior to the deletion.
 92
 93- **Recovery and hardening**
 94  - Implement AWS Config rules to continuously monitor alarm existence and alert on `DeleteAlarms` API calls.
 95  - Restrict permissions to `cloudwatch:DeleteAlarms` and enforce MFA for users performing monitoring configuration changes.
 96  - Maintain IaC definitions for all critical alarms to support rapid restoration.
 97  - Audit IAM roles and automation accounts that manage CloudWatch configurations to ensure least privilege.
 98  - Integrate alarm configuration checks into your CI/CD validation workflows.
 99
100### Additional information
101
102- **[AWS Config Rule – cloudwatch-alarm-action-check](https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-action-check.html)**
103- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
104- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
105- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
106"""
107references = [
108    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html",
109    "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html",
110]
111risk_score = 47
112rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c"
113severity = "medium"
114tags = [
115    "Domain: Cloud",
116    "Data Source: AWS",
117    "Data Source: Amazon Web Services",
118    "Data Source: Amazon CloudWatch",
119    "Resources: Investigation Guide",
120    "Tactic: Defense Evasion",
121]
122timestamp_override = "event.ingested"
123type = "query"
124
125query = '''
126event.dataset: "aws.cloudtrail" 
127  and event.provider: "monitoring.amazonaws.com" 
128  and event.action: "DeleteAlarms"
129  and event.outcome: "success"
130  and source.ip: *
131  and not user_agent.original : "AWS Internal"
132'''
133
134
135[[rule.threat]]
136framework = "MITRE ATT&CK"
137[[rule.threat.technique]]
138id = "T1562"
139name = "Impair Defenses"
140reference = "https://attack.mitre.org/techniques/T1562/"
141[[rule.threat.technique.subtechnique]]
142id = "T1562.001"
143name = "Disable or Modify Tools"
144reference = "https://attack.mitre.org/techniques/T1562/001/"
145
146[[rule.threat.technique.subtechnique]]
147id = "T1562.006"
148name = "Indicator Blocking"
149reference = "https://attack.mitre.org/techniques/T1562/006/"
150
151
152
153[rule.threat.tactic]
154id = "TA0005"
155name = "Defense Evasion"
156reference = "https://attack.mitre.org/tactics/TA0005/"
157
158[rule.investigation_fields]
159field_names = [
160    "@timestamp",
161    "user.name",
162    "user_agent.original",
163    "source.ip",
164    "aws.cloudtrail.user_identity.arn",
165    "aws.cloudtrail.user_identity.type",
166    "aws.cloudtrail.user_identity.access_key_id",
167    "target.entity.id",
168    "event.action",
169    "event.outcome",
170    "cloud.account.id",
171    "cloud.region",
172    "aws.cloudtrail.request_parameters",
173]