AWS Route 53 Resolver Query Log Configuration Deleted

  1[metadata]
  2creation_date = "2024/04/12"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/12/10"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the deletion of an Amazon Route 53 Resolver Query Log Configuration. Resolver query logs provide critical
 11visibility into DNS activity across VPCs, including lookups made by EC2 instances, containers, Lambda functions, and
 12other AWS resources. Deleting a query log configuration immediately stops DNS query and response logging for the
 13associated VPC. Adversaries may delete these configurations to evade detection, suppress forensic evidence, or degrade
 14security monitoring capabilities.
 15"""
 16false_positives = [
 17    """
 18    Query log configuration deletions may occur during legitimate networking changes, logging pipeline updates, or
 19    infrastructure redesign. Confirm the activity aligns with expected operations before taking action.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "AWS Route 53 Resolver Query Log Configuration Deleted"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:  
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 31
 32### Investigating AWS Route 53 Resolver Query Log Configuration Deleted
 33
 34Route 53 Resolver query logs provide essential telemetry for DNS visibility across AWS environments. Deleting a Resolver Query Log Configuration immediately halts DNS logging for one or more VPCs, creating a significant monitoring gap. Adversaries may intentionally delete these configurations to hide malicious activity. This rule detects successful invocations of `DeleteResolverQueryLogConfig`.
 35
 36### Possible investigation steps
 37
 38**Validate the actor and request origin**
 39- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine who initiated the deletion. Confirm whether the identity normally manages Route53 Resolver resources or VPC-level DNS configuration.
 40- Examine `source.ip`, `source.address`, `source.geo` fields and `user_agent.original` to determine whether the request originated from an expected network path or automation role. Whether API calls were made via console, CLI, SDK, or custom tooling.
 41
 42**Understand what was deleted and the impacted environment**
 43- Inspect `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` to identify the Query Log Configuration ID, Associated VPCs and destinations (e.g., CloudWatch Log Group, S3 bucket, Kinesis stream).
 44- Determine whether these VPCs support production workloads, contain regulated or sensitive data, host internet-facing or privileged workloads (e.g., EKS clusters, directory services, bastion hosts).
 45
 46**Correlate for intent and related activity**
 47- Use `@timestamp` to correlate the deletion with:
 48  - Prior `PutResolverQueryLogConfig` or `AssociateResolverQueryLogConfig` modifications.
 49  - IAM permission changes or STS session activities.
 50  - Recent DNS anomalies if logs were active prior to deletion.
 51- Pivot on the same `aws.cloudtrail.user_identity.arn` to identify:
 52  - Additional logging-related tampering (CloudTrail, VPC Flow Logs, S3 server access logs).
 53  - Resource isolation or privilege escalation attempts.
 54  - Suspicious EC2, Lambda, or container workload behavior.
 55
 56**Validate operational context**
 57- Check whether a change request, maintenance window, or migration task was underway that could explain the deletion.
 58- Confirm with networking, SRE, or platform engineering teams whether a logging pipeline redesign was in progress, a deprecated log config was intentionally removed, infrastructure-as-code (IaC) automation recently applied updates that removed the configuration.
 59
 60### False positive analysis
 61
 62- **Legitimate network and logging redesign**  
 63  - Deletions performed during planned VPC migrations, resolver logging pipeline upgrades, or CloudWatch/S3 restructuring may be benign.
 64- **Expected IaC behavior**  
 65  - Terraform, CloudFormation, or CDK stacks may destroy and recreate logging configurations during updates.  
 66    Validate pipeline activity and automation roles to avoid noise.
 67
 68### Response and remediation
 69
 70**Contain and restore visibility**
 71- If unauthorized activity is suspected:
 72  - Immediately re-create the Resolver Query Log Configuration.
 73  - Re-associate the configuration with the affected VPCs to restore DNS visibility.
 74  - Verify that CloudWatch Log Groups or S3 destinations have not been deleted or altered.
 75
 76**Investigate access and scope of impact**
 77- Review IAM permissions assigned to the actor:
 78  - Identify whether privilege escalation or role compromise occurred.
 79  - Validate that other high-impact logging or monitoring configurations (CloudTrail, VPC Flow Logs, GuardDuty) remain intact.
 80- Perform a DNS-focused threat hunt:
 81  - Analyze prior logged queries for indicators of malware, C2 infrastructure, or suspicious domains before the logging gap.
 82
 83**Strengthen defensive controls**
 84- Restrict sensitive operations by:
 85  - Limiting `route53resolver:DeleteResolverQueryLogConfig` to a small number of privileged roles.
 86  - Adding IAM condition keys to constrain deletion operations by source IP, region, or principal ARN.
 87- Enable AWS Config or Security Hub controls that:
 88  - Detect missing or deleted query log configurations.
 89  - Enforce continuous logging for critical VPCs.
 90
 91### Additional information
 92- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 93- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 94- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
 95"""
 96references = [
 97    "https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html",
 98]
 99risk_score = 47
100rule_id = "453183fa-f903-11ee-8e88-f661ea17fbce"
101severity = "medium"
102tags = [
103    "Domain: Cloud",
104    "Data Source: AWS",
105    "Data Source: Amazon Web Services",
106    "Data Source: AWS Route 53",
107    "Use Case: Log Auditing",
108    "Resources: Investigation Guide",
109    "Tactic: Defense Evasion",
110]
111timestamp_override = "event.ingested"
112type = "query"
113
114query = '''
115event.dataset: aws.cloudtrail 
116    and event.provider: route53resolver.amazonaws.com
117    and event.action: DeleteResolverQueryLogConfig 
118    and event.outcome: success
119'''
120
121
122[[rule.threat]]
123framework = "MITRE ATT&CK"
124[[rule.threat.technique]]
125id = "T1562"
126name = "Impair Defenses"
127reference = "https://attack.mitre.org/techniques/T1562/"
128[[rule.threat.technique.subtechnique]]
129id = "T1562.008"
130name = "Disable or Modify Cloud Logs"
131reference = "https://attack.mitre.org/techniques/T1562/008/"
132
133
134
135[rule.threat.tactic]
136id = "TA0005"
137name = "Defense Evasion"
138reference = "https://attack.mitre.org/tactics/TA0005/"
139
140[rule.investigation_fields]
141field_names = [
142    "@timestamp",
143    "user.name",
144    "user_agent.original",
145    "source.ip",
146    "aws.cloudtrail.user_identity.arn",
147    "aws.cloudtrail.user_identity.type",
148    "aws.cloudtrail.user_identity.access_key_id",
149    "target.entity.id",
150    "event.action",
151    "event.outcome",
152    "cloud.account.id",
153    "cloud.region",
154    "aws.cloudtrail.request_parameters",
155    "aws.cloudtrail.response_elements",
156]