AWS Config Resource Deletion

  1[metadata]
  2creation_date = "2020/06/26"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/12/12"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = """
 10Identifies attempts to delete AWS Config resources. AWS Config provides continuous visibility into resource
 11configuration changes and compliance posture across an account. Deleting Config components can significantly reduce
 12security visibility and auditability. Adversaries may delete or disable Config resources to evade detection, hide prior
 13activity, or weaken governance controls before or after other malicious actions.
 14"""
 15false_positives = [
 16    """
 17    Deletion of AWS Config resources may occur during legitimate account restructuring, environment teardown, or changes
 18    to compliance tooling. Centralized security teams or approved automation may also delete and recreate Config
 19    components as part of controlled workflows. Confirm that the action aligns with approved change management and was
 20    performed by an expected principal.
 21    """,
 22]
 23from = "now-6m"
 24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "AWS Config Resource Deletion"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 32
 33### Investigating AWS Config Resource Deletion
 34
 35AWS Config records configuration changes, relationships, and compliance status for AWS resources over time.
 36Deleting Config components such as recorders, delivery channels, rules, or conformance packs disrupts
 37security monitoring, compliance enforcement, and forensic visibility. This behavior is uncommon outside of
 38planned infrastructure changes and should be treated as high-risk when unexpected. This rule detects successful deletion of AWS Config resources.
 39
 40### Possible investigation steps
 41
 42**Identify the actor**
 43- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine who initiated the deletion.
 44- Confirm whether this principal typically manages AWS Config or centralized security tooling.
 45- Check `user_agent.original` to determine whether the action was performed via console, CLI, SDK, or automation.
 46
 47**Determine what was deleted**
 48- Inspect `event.action` and `aws.cloudtrail.request_parameters` to identify which Config component was removed
 49  (e.g., configuration recorder, delivery channel, rule, aggregator, or conformance pack).
 50- Assess whether the deleted resource was account-scoped or organization-wide. Used for compliance reporting, guardrails, or security monitoring.
 51- Identify the affected regions and accounts using `cloud.region` and `cloud.account.id`.
 52
 53**Reconstruct timing and intent**
 54- Use `@timestamp` to correlate the deletion with:
 55  - IAM changes (role updates, policy modifications, STS activity).
 56  - Other monitoring disruptions (CloudTrail, GuardDuty, Security Hub).
 57  - Destructive or high-impact actions occurring shortly before or after.
 58- Compare the timing against approved maintenance windows or infrastructure changes.
 59
 60**Correlate with broader activity**
 61- Pivot in CloudTrail on the same principal or access key to identify:
 62  - Additional attempts to disable logging or security controls.
 63  - Resource deletions or configuration weakening across services.
 64- Evaluate whether the deletion appears isolated or part of a broader evasion sequence.
 65
 66**Validate intent with stakeholders**
 67- Confirm with security, cloud platform, or compliance teams whether the deletion was planned and approved.
 68- Verify whether replacement Config resources were created shortly after, or whether monitoring remains disabled.
 69
 70### False positive analysis
 71
 72- **Planned environment changes**
 73  - Non-production account teardown, environment consolidation, or compliance tool migrations may involve
 74    deletion of Config resources.
 75
 76- **Authorized security automation**
 77  - Approved automation or security tooling may delete and recreate Config components during setup or remediation.
 78  - Tune exceptions carefully using specific principals or automation roles rather than broad exclusions.
 79
 80### Response and remediation
 81
 82- **Contain and restore visibility**
 83  - If unauthorized, immediately re-enable AWS Config components, including recorders and delivery channels.
 84  - Validate that historical configuration data and compliance reporting resume as expected.
 85
 86- **Investigate scope and impact**
 87  - Determine how long Config visibility was impaired and what activity may have occurred during that window.
 88  - Review other monitoring gaps (e.g., CloudTrail or GuardDuty changes) for coordinated evasion.
 89
 90- **Credential and access review**
 91  - Rotate or disable credentials associated with the deleting principal if compromise is suspected.
 92  - Review IAM permissions to ensure only a minimal, well-defined set of roles can manage AWS Config.
 93
 94- **Hardening and prevention**
 95  - Use SCPs or IAM conditions to restrict deletion of Config resources in production and security accounts.
 96  - Implement AWS Config rules or Security Hub controls to alert when Config is disabled or degraded.
 97  - Document and formalize change procedures for governance tooling.
 98
 99### Additional information
100- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
101- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
102- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
103"""
104references = [
105    "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html",
106    "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html",
107]
108risk_score = 47
109rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc"
110severity = "medium"
111tags = [
112    "Domain: Cloud",
113    "Data Source: AWS",
114    "Data Source: Amazon Web Services",
115    "Data Source: AWS Config",
116    "Resources: Investigation Guide",
117    "Tactic: Defense Evasion",
118]
119timestamp_override = "event.ingested"
120type = "query"
121
122query = '''
123event.dataset: aws.cloudtrail 
124    and event.provider: config.amazonaws.com 
125    and event.outcome: success
126    and event.action: (DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or
127    DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or
128    DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)
129    and not aws.cloudtrail.user_identity.invoked_by: (securityhub.amazonaws.com or fms.amazonaws.com or controltower.amazonaws.com or config-conforms.amazonaws.com)
130'''
131
132
133[[rule.threat]]
134framework = "MITRE ATT&CK"
135[[rule.threat.technique]]
136id = "T1562"
137name = "Impair Defenses"
138reference = "https://attack.mitre.org/techniques/T1562/"
139[[rule.threat.technique.subtechnique]]
140id = "T1562.001"
141name = "Disable or Modify Tools"
142reference = "https://attack.mitre.org/techniques/T1562/001/"
143
144[[rule.threat.technique.subtechnique]]
145id = "T1562.008"
146name = "Disable or Modify Cloud Logs"
147reference = "https://attack.mitre.org/techniques/T1562/008/"
148
149
150
151[rule.threat.tactic]
152id = "TA0005"
153name = "Defense Evasion"
154reference = "https://attack.mitre.org/tactics/TA0005/"
155
156[rule.investigation_fields]
157field_names = [
158    "@timestamp",
159    "user.name",
160    "user_agent.original",
161    "source.ip",
162    "aws.cloudtrail.user_identity.arn",
163    "aws.cloudtrail.user_identity.type",
164    "aws.cloudtrail.user_identity.access_key_id",
165    "event.action",
166    "event.outcome",
167    "cloud.account.id",
168    "cloud.region",
169    "aws.cloudtrail.request_parameters"
170]