AWS Configuration Recorder Stopped

  1[metadata]
  2creation_date = "2020/06/16"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when an AWS Config configuration recorder is stopped. AWS Config recorders continuously track and record
 11configuration changes across supported AWS resources. Stopping the recorder immediately reduces visibility into
 12infrastructure changes and can be abused by adversaries to evade detection, obscure follow-on activity, or weaken
 13compliance and security monitoring controls.
 14"""
 15false_positives = [
 16    """
 17    Authorized administrators may temporarily stop the AWS Config recorder during planned maintenance, account
 18    restructuring, or controlled configuration changes. Automated infrastructure or compliance tooling may also stop and
 19    restart the recorder as part of setup or teardown workflows. Activity outside of documented change windows or from
 20    unexpected identities should be investigated.
 21    """,
 22]
 23from = "now-6m"
 24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "AWS Configuration Recorder Stopped"
 28note = """## Triage and analysis
 29
 30### Investigating AWS Configuration Recorder Stopped
 31
 32AWS Config provides continuous visibility into resource configuration changes and underpins many security, compliance,
 33and audit workflows. Stopping the configuration recorder prevents new changes from being captured and can create blind
 34spots in detection and forensic timelines.
 35
 36This behavior is uncommon in steady-state production environments and should be carefully reviewed, especially when
 37performed outside approved maintenance windows or by unexpected principals.
 38
 39### Possible investigation steps
 40
 41**Identify the actor**
 42- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`
 43  to determine who initiated the `StopConfigurationRecorder` action. Confirm whether this principal typically administers AWS Config or performs security and compliance operations.
 44
 45**Examine the request context**
 46- Review `user_agent.original` to determine whether the request originated from the AWS Console, CLI, SDK, or automation tooling.
 47- Inspect `source.ip` and any available geo context to assess whether the request originated from an expected network or region.
 48
 49**Determine scope and impact**
 50- Identify which configuration recorder was stopped and which regions or resources were affected.
 51- Determine how long the recorder remained disabled and whether any configuration changes occurred during that window.
 52- Assess whether AWS Config rules, Security Hub controls, or downstream monitoring systems were impacted.
 53
 54**Correlate with related activity**
 55- Look for surrounding CloudTrail activity from the same principal, including:
 56  - Deletion or modification of Config rules, delivery channels, or conformance packs.
 57  - IAM changes, credential activity, or other security control modifications.
 58- Check for signs of follow-on activity that may have relied on reduced visibility, such as resource creation, policy changes,
 59  or network reconfiguration.
 60
 61**Validate intent**
 62- Confirm with the platform, security, or compliance teams whether the recorder stoppage was intentional and approved.
 63- Compare the timing against change management records, infrastructure deployments, or account bootstrapping workflows.
 64
 65### False positive analysis
 66
 67- Planned maintenance or controlled configuration changes may require temporarily stopping the recorder.
 68- Automated account provisioning, teardown, or remediation tooling may stop and restart the recorder as part of normal workflows.
 69
 70### Response and remediation
 71
 72- Immediately restart the AWS Config recorder to restore configuration visibility.
 73- Review CloudTrail logs for activity that occurred while the recorder was stopped and assess potential security or compliance impact.
 74- If the action was unauthorized, rotate or disable credentials associated with the initiating principal and investigate for compromise.
 75- Review IAM permissions to ensure only a minimal set of trusted roles can stop or modify AWS Config components.
 76- Implement guardrails such as AWS Config rules, SCPs, or automated remediation to detect and respond to recorder stoppage.
 77- Update monitoring, alerting, and incident response runbooks to explicitly cover AWS Config visibility loss scenarios.
 78
 79### Additional information
 80- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 81- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 82- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
 83"""
 84references = [
 85    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html",
 86    "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html",
 87]
 88risk_score = 73
 89rule_id = "fbd44836-0d69-4004-a0b4-03c20370c435"
 90severity = "high"
 91tags = [
 92    "Domain: Cloud",
 93    "Data Source: AWS",
 94    "Data Source: Amazon Web Services",
 95    "Data Source: AWS Config",
 96    "Tactic: Defense Evasion",
 97    "Resources: Investigation Guide",
 98]
 99timestamp_override = "event.ingested"
100type = "query"
101
102query = '''
103event.dataset: aws.cloudtrail 
104    and event.provider: config.amazonaws.com 
105    and event.action: StopConfigurationRecorder 
106    and event.outcome: success
107'''
108
109
110[[rule.threat]]
111framework = "MITRE ATT&CK"
112[[rule.threat.technique]]
113id = "T1562"
114name = "Impair Defenses"
115reference = "https://attack.mitre.org/techniques/T1562/"
116[[rule.threat.technique.subtechnique]]
117id = "T1562.001"
118name = "Disable or Modify Tools"
119reference = "https://attack.mitre.org/techniques/T1562/001/"
120
121[[rule.threat.technique.subtechnique]]
122id = "T1562.008"
123name = "Disable or Modify Cloud Logs"
124reference = "https://attack.mitre.org/techniques/T1562/008/"
125
126
127
128[rule.threat.tactic]
129id = "TA0005"
130name = "Defense Evasion"
131reference = "https://attack.mitre.org/tactics/TA0005/"
132
133[rule.investigation_fields]
134field_names = [
135    "@timestamp",
136    "user.name",
137    "user_agent.original",
138    "source.ip",
139    "aws.cloudtrail.user_identity.arn",
140    "aws.cloudtrail.user_identity.type",
141    "aws.cloudtrail.user_identity.access_key_id",
142    "event.action",
143    "event.outcome",
144    "cloud.account.id",
145    "cloud.region",
146    "aws.cloudtrail.request_parameters",
147]