AWS Route 53 Resolver Query Log Configuration Deleted

  1[metadata]
  2creation_date = "2024/04/12"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the deletion of an Amazon Route 53 Resolver Query Log Configuration. Resolver query logs provide critical
 11visibility into DNS activity across VPCs, including lookups made by EC2 instances, containers, Lambda functions, and
 12other AWS resources. Deleting a query log configuration immediately stops DNS query and response logging for the
 13associated VPC. Adversaries may delete these configurations to evade detection, suppress forensic evidence, or degrade
 14security monitoring capabilities.
 15"""
 16false_positives = [
 17    """
 18    Query log configuration deletions may occur during legitimate networking changes, logging pipeline updates, or
 19    infrastructure redesign. Confirm the activity aligns with expected operations before taking action.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "AWS Route 53 Resolver Query Log Configuration Deleted"
 27note = """## Triage and analysis
 28
 29### Investigating AWS Route 53 Resolver Query Log Configuration Deleted
 30
 31Route 53 Resolver query logs provide essential telemetry for DNS visibility across AWS environments. Deleting a Resolver Query Log Configuration immediately halts DNS logging for one or more VPCs, creating a significant monitoring gap. Adversaries may intentionally delete these configurations to hide malicious activity. This rule detects successful invocations of `DeleteResolverQueryLogConfig`.
 32
 33### Possible investigation steps
 34
 35**Validate the actor and request origin**
 36- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine who initiated the deletion. Confirm whether the identity normally manages Route53 Resolver resources or VPC-level DNS configuration.
 37- Examine `source.ip`, `source.address`, `source.geo` fields and `user_agent.original` to determine whether the request originated from an expected network path or automation role. Whether API calls were made via console, CLI, SDK, or custom tooling.
 38
 39**Understand what was deleted and the impacted environment**
 40- Inspect `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` to identify the Query Log Configuration ID, Associated VPCs and destinations (e.g., CloudWatch Log Group, S3 bucket, Kinesis stream).
 41- Determine whether these VPCs support production workloads, contain regulated or sensitive data, host internet-facing or privileged workloads (e.g., EKS clusters, directory services, bastion hosts).
 42
 43**Correlate for intent and related activity**
 44- Use `@timestamp` to correlate the deletion with:
 45  - Prior `PutResolverQueryLogConfig` or `AssociateResolverQueryLogConfig` modifications.
 46  - IAM permission changes or STS session activities.
 47  - Recent DNS anomalies if logs were active prior to deletion.
 48- Pivot on the same `aws.cloudtrail.user_identity.arn` to identify:
 49  - Additional logging-related tampering (CloudTrail, VPC Flow Logs, S3 server access logs).
 50  - Resource isolation or privilege escalation attempts.
 51  - Suspicious EC2, Lambda, or container workload behavior.
 52
 53**Validate operational context**
 54- Check whether a change request, maintenance window, or migration task was underway that could explain the deletion.
 55- Confirm with networking, SRE, or platform engineering teams whether a logging pipeline redesign was in progress, a deprecated log config was intentionally removed, infrastructure-as-code (IaC) automation recently applied updates that removed the configuration.
 56
 57### False positive analysis
 58
 59- **Legitimate network and logging redesign**  
 60  - Deletions performed during planned VPC migrations, resolver logging pipeline upgrades, or CloudWatch/S3 restructuring may be benign.
 61- **Expected IaC behavior**  
 62  - Terraform, CloudFormation, or CDK stacks may destroy and recreate logging configurations during updates.  
 63    Validate pipeline activity and automation roles to avoid noise.
 64
 65### Response and remediation
 66
 67**Contain and restore visibility**
 68- If unauthorized activity is suspected:
 69  - Immediately re-create the Resolver Query Log Configuration.
 70  - Re-associate the configuration with the affected VPCs to restore DNS visibility.
 71  - Verify that CloudWatch Log Groups or S3 destinations have not been deleted or altered.
 72
 73**Investigate access and scope of impact**
 74- Review IAM permissions assigned to the actor:
 75  - Identify whether privilege escalation or role compromise occurred.
 76  - Validate that other high-impact logging or monitoring configurations (CloudTrail, VPC Flow Logs, GuardDuty) remain intact.
 77- Perform a DNS-focused threat hunt:
 78  - Analyze prior logged queries for indicators of malware, C2 infrastructure, or suspicious domains before the logging gap.
 79
 80**Strengthen defensive controls**
 81- Restrict sensitive operations by:
 82  - Limiting `route53resolver:DeleteResolverQueryLogConfig` to a small number of privileged roles.
 83  - Adding IAM condition keys to constrain deletion operations by source IP, region, or principal ARN.
 84- Enable AWS Config or Security Hub controls that:
 85  - Detect missing or deleted query log configurations.
 86  - Enforce continuous logging for critical VPCs.
 87
 88### Additional information
 89- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 90- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 91- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
 92"""
 93references = [
 94    "https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html",
 95]
 96risk_score = 47
 97rule_id = "453183fa-f903-11ee-8e88-f661ea17fbce"
 98severity = "medium"
 99tags = [
100    "Domain: Cloud",
101    "Data Source: AWS",
102    "Data Source: Amazon Web Services",
103    "Data Source: AWS Route 53",
104    "Use Case: Log Auditing",
105    "Resources: Investigation Guide",
106    "Tactic: Defense Evasion",
107]
108timestamp_override = "event.ingested"
109type = "query"
110
111query = '''
112event.dataset: aws.cloudtrail 
113    and event.provider: route53resolver.amazonaws.com
114    and event.action: DeleteResolverQueryLogConfig 
115    and event.outcome: success
116'''
117
118
119[[rule.threat]]
120framework = "MITRE ATT&CK"
121[[rule.threat.technique]]
122id = "T1562"
123name = "Impair Defenses"
124reference = "https://attack.mitre.org/techniques/T1562/"
125[[rule.threat.technique.subtechnique]]
126id = "T1562.008"
127name = "Disable or Modify Cloud Logs"
128reference = "https://attack.mitre.org/techniques/T1562/008/"
129
130
131
132[rule.threat.tactic]
133id = "TA0005"
134name = "Defense Evasion"
135reference = "https://attack.mitre.org/tactics/TA0005/"
136
137[rule.investigation_fields]
138field_names = [
139    "@timestamp",
140    "user.name",
141    "user_agent.original",
142    "source.ip",
143    "aws.cloudtrail.user_identity.arn",
144    "aws.cloudtrail.user_identity.type",
145    "aws.cloudtrail.user_identity.access_key_id",
146    "event.action",
147    "event.outcome",
148    "cloud.account.id",
149    "cloud.region",
150    "aws.cloudtrail.request_parameters",
151    "aws.cloudtrail.response_elements",
152]