AWS Configuration Recorder Stopped
Identifies an AWS configuration change to stop recording a designated set of resources.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/06/16"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = "Identifies an AWS configuration change to stop recording a designated set of resources."
10false_positives = [
11 """
12 Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
13 Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false
14 positives, it can be exempted from the rule.
15 """,
16]
17from = "now-60m"
18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
19interval = "10m"
20language = "kuery"
21license = "Elastic License v2"
22name = "AWS Configuration Recorder Stopped"
23note = """## Triage and analysis
24
25> **Disclaimer**:
26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
27
28### Investigating AWS Configuration Recorder Stopped
29
30AWS Config records and evaluates configurations of AWS resources, ensuring compliance and security. Stopping the configuration recorder can hinder visibility into resource changes, aiding adversaries in evading detection. The detection rule identifies successful attempts to stop the recorder, signaling potential defense evasion by monitoring specific AWS CloudTrail events related to configuration changes.
31
32### Possible investigation steps
33
34- Review the AWS CloudTrail logs for the specific event.action:StopConfigurationRecorder to identify the user or role that initiated the action.
35- Check the event.outcome:success field to confirm the action was successfully executed and correlate it with any other suspicious activities around the same timeframe.
36- Investigate the IAM permissions and roles associated with the user or entity that stopped the configuration recorder to determine if they have the necessary permissions and if those permissions are appropriate.
37- Analyze the context of the event by examining other recent AWS CloudTrail events from the same event.provider:config.amazonaws.com to identify any related configuration changes or anomalies.
38- Assess the potential impact on compliance and security by identifying which resources were affected by the stopped configuration recorder and evaluating the risk of undetected changes during the period it was inactive.
39- Review any recent changes in AWS Config settings or policies that might explain the legitimate need to stop the configuration recorder, ensuring there is a valid business justification.
40
41### False positive analysis
42
43- Routine maintenance activities by authorized personnel can trigger the rule. To manage this, create exceptions for specific IAM roles or users known to perform these tasks regularly.
44- Automated scripts or tools used for configuration management might stop the recorder as part of their operation. Identify these scripts and exclude their actions from triggering alerts by using their unique identifiers or tags.
45- Scheduled configuration changes during non-peak hours may involve stopping the recorder temporarily. Document these schedules and adjust the rule to ignore events during these periods.
46- Testing environments often mimic production changes, including stopping the recorder. Exclude events from known testing accounts or environments to prevent unnecessary alerts.
47
48### Response and remediation
49
50- Immediately re-enable the AWS Config recorder to restore visibility into resource changes and ensure compliance monitoring is active.
51- Conduct a thorough review of AWS CloudTrail logs to identify any unauthorized or suspicious activities that occurred during the period when the configuration recorder was stopped.
52- Verify the IAM roles and permissions associated with the AWS account to ensure that only authorized personnel have the ability to stop the configuration recorder. Adjust permissions as necessary to follow the principle of least privilege.
53- Implement additional monitoring and alerting for any future attempts to stop the AWS Config recorder, ensuring that such actions trigger immediate notifications to the security team.
54- Escalate the incident to the security operations center (SOC) for further investigation and to determine if the action was part of a broader attack or misconfiguration.
55- Review and update incident response plans to include specific procedures for handling AWS Config recorder stoppage events, ensuring rapid response and containment in future occurrences.
56- Consider enabling AWS Config rules to automatically remediate unauthorized changes, such as stopping the configuration recorder, to enhance the security posture and prevent recurrence.
57
58## Setup
59
60The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
61references = [
62 "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html",
63 "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html",
64]
65risk_score = 73
66rule_id = "fbd44836-0d69-4004-a0b4-03c20370c435"
67severity = "high"
68tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
69timestamp_override = "event.ingested"
70type = "query"
71
72query = '''
73event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success
74'''
75
76
77[[rule.threat]]
78framework = "MITRE ATT&CK"
79[[rule.threat.technique]]
80id = "T1562"
81name = "Impair Defenses"
82reference = "https://attack.mitre.org/techniques/T1562/"
83[[rule.threat.technique.subtechnique]]
84id = "T1562.001"
85name = "Disable or Modify Tools"
86reference = "https://attack.mitre.org/techniques/T1562/001/"
87
88
89
90[rule.threat.tactic]
91id = "TA0005"
92name = "Defense Evasion"
93reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating AWS Configuration Recorder Stopped
AWS Config records and evaluates configurations of AWS resources, ensuring compliance and security. Stopping the configuration recorder can hinder visibility into resource changes, aiding adversaries in evading detection. The detection rule identifies successful attempts to stop the recorder, signaling potential defense evasion by monitoring specific AWS CloudTrail events related to configuration changes.
Possible investigation steps
- Review the AWS CloudTrail logs for the specific event.action:StopConfigurationRecorder to identify the user or role that initiated the action.
- Check the event.outcome:success field to confirm the action was successfully executed and correlate it with any other suspicious activities around the same timeframe.
- Investigate the IAM permissions and roles associated with the user or entity that stopped the configuration recorder to determine if they have the necessary permissions and if those permissions are appropriate.
- Analyze the context of the event by examining other recent AWS CloudTrail events from the same event.provider:config.amazonaws.com to identify any related configuration changes or anomalies.
- Assess the potential impact on compliance and security by identifying which resources were affected by the stopped configuration recorder and evaluating the risk of undetected changes during the period it was inactive.
- Review any recent changes in AWS Config settings or policies that might explain the legitimate need to stop the configuration recorder, ensuring there is a valid business justification.
False positive analysis
- Routine maintenance activities by authorized personnel can trigger the rule. To manage this, create exceptions for specific IAM roles or users known to perform these tasks regularly.
- Automated scripts or tools used for configuration management might stop the recorder as part of their operation. Identify these scripts and exclude their actions from triggering alerts by using their unique identifiers or tags.
- Scheduled configuration changes during non-peak hours may involve stopping the recorder temporarily. Document these schedules and adjust the rule to ignore events during these periods.
- Testing environments often mimic production changes, including stopping the recorder. Exclude events from known testing accounts or environments to prevent unnecessary alerts.
Response and remediation
- Immediately re-enable the AWS Config recorder to restore visibility into resource changes and ensure compliance monitoring is active.
- Conduct a thorough review of AWS CloudTrail logs to identify any unauthorized or suspicious activities that occurred during the period when the configuration recorder was stopped.
- Verify the IAM roles and permissions associated with the AWS account to ensure that only authorized personnel have the ability to stop the configuration recorder. Adjust permissions as necessary to follow the principle of least privilege.
- Implement additional monitoring and alerting for any future attempts to stop the AWS Config recorder, ensuring that such actions trigger immediate notifications to the security team.
- Escalate the incident to the security operations center (SOC) for further investigation and to determine if the action was part of a broader attack or misconfiguration.
- Review and update incident response plans to include specific procedures for handling AWS Config recorder stoppage events, ensuring rapid response and containment in future occurrences.
- Consider enabling AWS Config rules to automatically remediate unauthorized changes, such as stopping the configuration recorder, to enhance the security posture and prevent recurrence.
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS EC2 Network Access Control List Deletion
- AWS EC2 Security Group Configuration Change
- AWS ElastiCache Security Group Created
- AWS ElastiCache Security Group Modified or Deleted
- AWS GuardDuty Detector Deletion