AWS Configuration Recorder Stopped

  1[metadata]
  2creation_date = "2020/06/16"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/12/12"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when an AWS Config configuration recorder is stopped. AWS Config recorders continuously track and record
 11configuration changes across supported AWS resources. Stopping the recorder immediately reduces visibility into
 12infrastructure changes and can be abused by adversaries to evade detection, obscure follow-on activity, or weaken
 13compliance and security monitoring controls.
 14"""
 15false_positives = [
 16    """
 17    Authorized administrators may temporarily stop the AWS Config recorder during planned maintenance, account
 18    restructuring, or controlled configuration changes. Automated infrastructure or compliance tooling may also stop and
 19    restart the recorder as part of setup or teardown workflows. Activity outside of documented change windows or from
 20    unexpected identities should be investigated.
 21    """,
 22]
 23from = "now-6m"
 24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "AWS Configuration Recorder Stopped"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 32
 33### Investigating AWS Configuration Recorder Stopped
 34
 35AWS Config provides continuous visibility into resource configuration changes and underpins many security, compliance,
 36and audit workflows. Stopping the configuration recorder prevents new changes from being captured and can create blind
 37spots in detection and forensic timelines.
 38
 39This behavior is uncommon in steady-state production environments and should be carefully reviewed, especially when
 40performed outside approved maintenance windows or by unexpected principals.
 41
 42### Possible investigation steps
 43
 44**Identify the actor**
 45- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`
 46  to determine who initiated the `StopConfigurationRecorder` action. Confirm whether this principal typically administers AWS Config or performs security and compliance operations.
 47
 48**Examine the request context**
 49- Review `user_agent.original` to determine whether the request originated from the AWS Console, CLI, SDK, or automation tooling.
 50- Inspect `source.ip` and any available geo context to assess whether the request originated from an expected network or region.
 51
 52**Determine scope and impact**
 53- Identify which configuration recorder was stopped and which regions or resources were affected.
 54- Determine how long the recorder remained disabled and whether any configuration changes occurred during that window.
 55- Assess whether AWS Config rules, Security Hub controls, or downstream monitoring systems were impacted.
 56
 57**Correlate with related activity**
 58- Look for surrounding CloudTrail activity from the same principal, including:
 59  - Deletion or modification of Config rules, delivery channels, or conformance packs.
 60  - IAM changes, credential activity, or other security control modifications.
 61- Check for signs of follow-on activity that may have relied on reduced visibility, such as resource creation, policy changes,
 62  or network reconfiguration.
 63
 64**Validate intent**
 65- Confirm with the platform, security, or compliance teams whether the recorder stoppage was intentional and approved.
 66- Compare the timing against change management records, infrastructure deployments, or account bootstrapping workflows.
 67
 68### False positive analysis
 69
 70- Planned maintenance or controlled configuration changes may require temporarily stopping the recorder.
 71- Automated account provisioning, teardown, or remediation tooling may stop and restart the recorder as part of normal workflows.
 72
 73### Response and remediation
 74
 75- Immediately restart the AWS Config recorder to restore configuration visibility.
 76- Review CloudTrail logs for activity that occurred while the recorder was stopped and assess potential security or compliance impact.
 77- If the action was unauthorized, rotate or disable credentials associated with the initiating principal and investigate for compromise.
 78- Review IAM permissions to ensure only a minimal set of trusted roles can stop or modify AWS Config components.
 79- Implement guardrails such as AWS Config rules, SCPs, or automated remediation to detect and respond to recorder stoppage.
 80- Update monitoring, alerting, and incident response runbooks to explicitly cover AWS Config visibility loss scenarios.
 81
 82### Additional information
 83- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 84- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 85- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
 86"""
 87references = [
 88    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html",
 89    "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html",
 90]
 91risk_score = 73
 92rule_id = "fbd44836-0d69-4004-a0b4-03c20370c435"
 93severity = "high"
 94tags = [
 95    "Domain: Cloud",
 96    "Data Source: AWS",
 97    "Data Source: Amazon Web Services",
 98    "Data Source: AWS Config",
 99    "Tactic: Defense Evasion",
100    "Resources: Investigation Guide",
101]
102timestamp_override = "event.ingested"
103type = "query"
104
105query = '''
106event.dataset: aws.cloudtrail 
107    and event.provider: config.amazonaws.com 
108    and event.action: StopConfigurationRecorder 
109    and event.outcome: success
110'''
111
112
113[[rule.threat]]
114framework = "MITRE ATT&CK"
115[[rule.threat.technique]]
116id = "T1562"
117name = "Impair Defenses"
118reference = "https://attack.mitre.org/techniques/T1562/"
119[[rule.threat.technique.subtechnique]]
120id = "T1562.001"
121name = "Disable or Modify Tools"
122reference = "https://attack.mitre.org/techniques/T1562/001/"
123
124[[rule.threat.technique.subtechnique]]
125id = "T1562.008"
126name = "Disable or Modify Cloud Logs"
127reference = "https://attack.mitre.org/techniques/T1562/008/"
128
129
130
131[rule.threat.tactic]
132id = "TA0005"
133name = "Defense Evasion"
134reference = "https://attack.mitre.org/tactics/TA0005/"
135
136[rule.investigation_fields]
137field_names = [
138    "@timestamp",
139    "user.name",
140    "user_agent.original",
141    "source.ip",
142    "aws.cloudtrail.user_identity.arn",
143    "aws.cloudtrail.user_identity.type",
144    "aws.cloudtrail.user_identity.access_key_id",
145    "target.entity.id",
146    "event.action",
147    "event.outcome",
148    "cloud.account.id",
149    "cloud.region",
150    "aws.cloudtrail.request_parameters",
151]