AWS Backup Recovery Point Deleted

  1[metadata]
  2creation_date = "2026/06/26"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/26"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies deletion of an AWS Backup recovery point via DeleteRecoveryPoint. A recovery point is a stored backup of a
 11protected resource (EBS, RDS, DynamoDB, EFS, S3, and others). Deleting recovery points removes the ability to restore
 12the associated data and is a core anti-recovery technique used in ransomware and data-destruction attacks to ensure
 13victims cannot recover without paying or rebuilding. Routine lifecycle expirations are performed by the AWS Backup
 14service itself; deletion by a non-service principal is rare and should be reviewed.
 15"""
 16false_positives = [
 17    """
 18    Backup, platform, or infrastructure-as-code teams may delete recovery points during retention cleanup, migration, or
 19    decommissioning. Verify the principal in "aws.cloudtrail.user_identity.arn", the affected recovery point and vault
 20    in "aws.cloudtrail.request_parameters", and whether the deletion aligns with an approved change. Known
 21    administration roles can be excluded after validation.
 22    """,
 23]
 24from = "now-6m"
 25index = ["logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS Backup Recovery Point Deleted"
 29note = """## Triage and analysis
 30
 31### Investigating AWS Backup Recovery Point Deleted
 32
 33AWS Backup recovery points are the restorable copies of protected resources. "DeleteRecoveryPoint" permanently removes a recovery point from its vault, eliminating the ability to restore that backup. Adversaries delete recovery points to inhibit recovery after data destruction or encryption, maximizing the impact of ransomware or sabotage. Because scheduled expirations are carried out by the AWS Backup service itself (excluded by this rule), a deletion by a user or role principal is uncommon and high-signal, especially when several recovery points are removed in a short window.
 34
 35### Possible investigation steps
 36
 37- Identify the actor in "aws.cloudtrail.user_identity.arn" and "aws.cloudtrail.user_identity.type", and review "source.ip", "source.as.organization.name", and "user_agent.original" for an unexpected origin.
 38- Identify the affected recovery point and vault from "aws.cloudtrail.request_parameters", and determine which resource and data it protected.
 39- Determine whether multiple recovery points or vaults were affected in the same window, indicating a broader anti-recovery effort.
 40- Correlate with adjacent destructive or evasion activity by the same principal, such as DeleteBackupVault, Vault Lock removal, KMS key deletion, or resource deletions.
 41
 42### False positive analysis
 43
 44- Retention cleanup, migration, or decommissioning may delete recovery points. Confirm the deletion is expected and exclude known administration roles on "aws.cloudtrail.user_identity.arn" after validation.
 45
 46### Response and remediation
 47
 48- If the deletion is unauthorized, treat it as a potential precursor to or part of a destructive attack: preserve remaining backups, enable Vault Lock where possible, and engage incident response.
 49- Rotate or restrict credentials for the principal if compromise is suspected, and restrict "backup:DeleteRecoveryPoint" to a small set of trusted administrators via IAM and SCPs.
 50
 51### Additional information
 52
 53- [DeleteRecoveryPoint API](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteRecoveryPoint.html)
 54- [AWS Backup Vault Lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html)
 55"""
 56references = [
 57    "https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteRecoveryPoint.html",
 58    "https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html",
 59]
 60risk_score = 73
 61rule_id = "042b35f3-afa6-4441-92b2-ef41976b48a3"
 62setup = """This rule requires AWS CloudTrail management events for AWS Backup and ingestion via the Elastic AWS CloudTrail integration. See https://docs.elastic.co/integrations/aws/cloudtrail."""
 63severity = "high"
 64tags = [
 65    "Domain: Cloud",
 66    "Data Source: AWS",
 67    "Data Source: Amazon Web Services",
 68    "Data Source: AWS Backup",
 69    "Use Case: Threat Detection",
 70    "Tactic: Impact",
 71    "Resources: Investigation Guide",
 72]
 73timestamp_override = "event.ingested"
 74type = "query"
 75
 76query = '''
 77data_stream.dataset: "aws.cloudtrail"
 78    and event.provider: "backup.amazonaws.com"
 79    and event.action: "DeleteRecoveryPoint"
 80    and event.outcome: "success"
 81    and not aws.cloudtrail.user_identity.type: "AWSService"
 82'''
 83
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1490"
 89name = "Inhibit System Recovery"
 90reference = "https://attack.mitre.org/techniques/T1490/"
 91
 92
 93[rule.threat.tactic]
 94id = "TA0040"
 95name = "Impact"
 96reference = "https://attack.mitre.org/tactics/TA0040/"
 97
 98[rule.investigation_fields]
 99field_names = [
100    "@timestamp",
101    "user.name",
102    "user_agent.original",
103    "source.ip",
104    "source.as.number",
105    "source.as.organization.name",
106    "aws.cloudtrail.user_identity.arn",
107    "aws.cloudtrail.user_identity.type",
108    "aws.cloudtrail.user_identity.access_key_id",
109    "event.action",
110    "event.outcome",
111    "cloud.account.id",
112    "cloud.region",
113    "aws.cloudtrail.request_parameters",
114    "aws.cloudtrail.response_elements",
115]