AWS Backup Vault Deleted or Vault Lock Removed

Identifies deletion of an AWS Backup vault or removal of its Vault Lock configuration via DeleteBackupVault or DeleteBackupVaultLockConfiguration. A backup vault stores recovery points, and Vault Lock enforces WORM (write-once, read-many) immutability that prevents recovery points from being deleted before their retention expires. Removing the lock defeats the primary control designed to stop ransomware from destroying backups, and deleting the vault removes the backup container entirely. Both actions are strong anti-recovery signals and are rare in normal operations.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/06/19"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/19"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies deletion of an AWS Backup vault or removal of its Vault Lock configuration via DeleteBackupVault or
 11DeleteBackupVaultLockConfiguration. A backup vault stores recovery points, and Vault Lock enforces WORM (write-once,
 12read-many) immutability that prevents recovery points from being deleted before their retention expires. Removing the
 13lock defeats the primary control designed to stop ransomware from destroying backups, and deleting the vault removes the
 14backup container entirely. Both actions are strong anti-recovery signals and are rare in normal operations.
 15"""
 16false_positives = [
 17    """
 18    Platform or infrastructure-as-code teams may delete empty or deprecated vaults during decommissioning, or adjust
 19    Vault Lock during a planned governance change (note that compliance-mode locks cannot be removed). Verify the
 20    principal in "aws.cloudtrail.user_identity.arn" and confirm the change aligns with an approved request. Known
 21    administration roles can be excluded after validation.
 22    """,
 23]
 24from = "now-6m"
 25index = ["logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS Backup Vault Deleted or Vault Lock Removed"
 29note = """## Triage and analysis
 30
 31### Investigating AWS Backup Vault Deleted or Vault Lock Removed
 32
 33A backup vault is the container for AWS Backup recovery points, and Vault Lock applies immutability so recovery points cannot be deleted or shortened before retention expires. "DeleteBackupVaultLockConfiguration" removes that immutability (for governance-mode locks), and "DeleteBackupVault" deletes the vault itself. Adversaries remove the lock to enable subsequent deletion of otherwise-immutable recovery points, or delete the vault to destroy backups outright. These are high-impact, rare operations and should be deliberate and tightly controlled.
 34
 35### Possible investigation steps
 36
 37- Identify the actor in "aws.cloudtrail.user_identity.arn" and "aws.cloudtrail.user_identity.type", and review "source.ip", "source.as.organization.name", and "user_agent.original" for an unexpected origin.
 38- Determine the affected vault from "aws.cloudtrail.request_parameters" and whether it held recovery points.
 39- For lock removal, check whether DeleteRecoveryPoint or DeleteBackupVault followed shortly after, indicating a staged anti-recovery sequence.
 40- Correlate with other destructive or evasion activity by the same principal (KMS key deletion, resource deletions, logging changes).
 41
 42### False positive analysis
 43
 44- Decommissioning of empty vaults or planned governance changes may match. Confirm the change is expected and exclude known administration roles on "aws.cloudtrail.user_identity.arn" after validation.
 45
 46### Response and remediation
 47
 48- If unauthorized, treat as a likely precursor to backup destruction: preserve remaining recovery points, re-apply Vault Lock (in compliance mode where appropriate), and engage incident response.
 49- Rotate or restrict credentials for the principal if compromise is suspected, and restrict "backup:DeleteBackupVault" and "backup:DeleteBackupVaultLockConfiguration" to break-glass roles via IAM and SCPs.
 50
 51### Additional information
 52
 53- [AWS Backup Vault Lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html)
 54- [DeleteBackupVault API](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupVault.html)
 55- [DeleteBackupVaultLockConfiguration API](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupVaultLockConfiguration.html)
 56"""
 57references = [
 58    "https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html",
 59    "https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupVault.html",
 60    "https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupVaultLockConfiguration.html",
 61]
 62risk_score = 73
 63rule_id = "4ddac6c1-e4be-4e2b-95b5-0654cb8d423c"
 64setup = """This rule requires AWS CloudTrail management events for AWS Backup and ingestion via the Elastic AWS CloudTrail integration. See https://docs.elastic.co/integrations/aws/cloudtrail."""
 65severity = "high"
 66tags = [
 67    "Domain: Cloud",
 68    "Data Source: AWS",
 69    "Data Source: Amazon Web Services",
 70    "Data Source: AWS Backup",
 71    "Use Case: Threat Detection",
 72    "Tactic: Impact",
 73    "Tactic: Defense Evasion",
 74    "Resources: Investigation Guide",
 75]
 76timestamp_override = "event.ingested"
 77type = "query"
 78
 79query = '''
 80data_stream.dataset: "aws.cloudtrail"
 81    and event.provider: "backup.amazonaws.com"
 82    and event.action: ("DeleteBackupVault" or "DeleteBackupVaultLockConfiguration")
 83    and event.outcome: "success"
 84    and not aws.cloudtrail.user_identity.type: "AWSService"
 85'''
 86
 87
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90[[rule.threat.technique]]
 91id = "T1490"
 92name = "Inhibit System Recovery"
 93reference = "https://attack.mitre.org/techniques/T1490/"
 94
 95
 96[rule.threat.tactic]
 97id = "TA0040"
 98name = "Impact"
 99reference = "https://attack.mitre.org/tactics/TA0040/"
100[[rule.threat]]
101framework = "MITRE ATT&CK"
102[[rule.threat.technique]]
103id = "T1562"
104name = "Impair Defenses"
105reference = "https://attack.mitre.org/techniques/T1562/"
106
107
108[rule.threat.tactic]
109id = "TA0005"
110name = "Defense Evasion"
111reference = "https://attack.mitre.org/tactics/TA0005/"
112
113[rule.investigation_fields]
114field_names = [
115    "@timestamp",
116    "user.name",
117    "user_agent.original",
118    "source.ip",
119    "source.as.number",
120    "source.as.organization.name",
121    "aws.cloudtrail.user_identity.arn",
122    "aws.cloudtrail.user_identity.type",
123    "aws.cloudtrail.user_identity.access_key_id",
124    "event.action",
125    "event.outcome",
126    "cloud.account.id",
127    "cloud.region",
128    "aws.cloudtrail.request_parameters",
129    "aws.cloudtrail.response_elements",
130]

Triage and analysis

Investigating AWS Backup Vault Deleted or Vault Lock Removed

A backup vault is the container for AWS Backup recovery points, and Vault Lock applies immutability so recovery points cannot be deleted or shortened before retention expires. "DeleteBackupVaultLockConfiguration" removes that immutability (for governance-mode locks), and "DeleteBackupVault" deletes the vault itself. Adversaries remove the lock to enable subsequent deletion of otherwise-immutable recovery points, or delete the vault to destroy backups outright. These are high-impact, rare operations and should be deliberate and tightly controlled.

Possible investigation steps

  • Identify the actor in "aws.cloudtrail.user_identity.arn" and "aws.cloudtrail.user_identity.type", and review "source.ip", "source.as.organization.name", and "user_agent.original" for an unexpected origin.
  • Determine the affected vault from "aws.cloudtrail.request_parameters" and whether it held recovery points.
  • For lock removal, check whether DeleteRecoveryPoint or DeleteBackupVault followed shortly after, indicating a staged anti-recovery sequence.
  • Correlate with other destructive or evasion activity by the same principal (KMS key deletion, resource deletions, logging changes).

False positive analysis

  • Decommissioning of empty vaults or planned governance changes may match. Confirm the change is expected and exclude known administration roles on "aws.cloudtrail.user_identity.arn" after validation.

Response and remediation

  • If unauthorized, treat as a likely precursor to backup destruction: preserve remaining recovery points, re-apply Vault Lock (in compliance mode where appropriate), and engage incident response.
  • Rotate or restrict credentials for the principal if compromise is suspected, and restrict "backup:DeleteBackupVault" and "backup:DeleteBackupVaultLockConfiguration" to break-glass roles via IAM and SCPs.

Additional information

References

Related rules

to-top