AWS EFS File System Deleted

  1[metadata]
  2creation_date = "2021/08/27"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/21"
  6
  7[rule]
  8author = ["Austin Songer", "Elastic"]
  9description = """
 10Identifies the deletion of an Amazon EFS file system using the "DeleteFileSystem" API operation. Deleting an EFS file
 11system permanently removes all stored data and cannot be reversed. This action is rare in most environments and
 12typically limited to controlled teardown workflows. Adversaries with sufficient permissions may delete a file system to
 13destroy evidence, disrupt workloads, or impede recovery efforts.
 14"""
 15false_positives = [
 16    """
 17    Legitimate teardown or environment decommissioning processes may delete EFS file systems. Verify whether the calling
 18    user, role, automation system, or CI/CD workflow is expected to perform destructive actions in the affected account.
 19    File system deletions by unfamiliar identities, from unusual IP addresses, or occurring outside approved change
 20    windows should be carefully reviewed. If known automation routinely deletes ephemeral test file systems, consider
 21    adding scoped exceptions.
 22    """,
 23]
 24from = "now-6m"
 25index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS EFS File System Deleted"
 29note = """## Triage and analysis
 30
 31### Investigating AWS EFS File System Deleted
 32
 33Amazon Elastic File System (EFS) provides scalable, shared file storage used by EC2, container workloads, analytics jobs, and other persistent applications. Deleting an EFS file system (`DeleteFileSystem`) permanently removes all stored data and cannot be recovered. Mount targets must already be deleted, but those operations are common and do not themselves indicate malicious behavior. This rule focuses exclusively on the irreversible destructive event, which may signal intentional data destruction, ransomware preparation, or a post-compromise cleanup effort.
 34
 35#### Possible investigation steps
 36
 37- **Identify the actor and calling context**
 38  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`.
 39  - Check `source.ip`, `user_agent.original`, and whether the call originated via console, IAM role, STS session, or long-lived IAM key.
 40  - Verify whether this principal typically manages EFS resources or teardown activities.
 41
 42- **Determine what was deleted**
 43  - Inspect `aws.cloudtrail.request_parameters` to identify the deleted file system ID.
 44  - Map the resource to:
 45    - Application or owner team
 46    - Environment classification (prod / dev / test)
 47    - Dependency surfaces (EC2 instances, ECS tasks, Lambda, analytics pipelines)
 48
 49- **Reconstruct timeline and intent**
 50  - Use `@timestamp` to correlate with:
 51    - Recent `UpdateFileSystem` events (e.g., deletion protection, lifecycle policies)
 52    - IAM policy or trust policy changes
 53    - EC2 or container runtime disruption shortly before deletion
 54    - Unexpected regional activity or off-hours execution
 55  - Determine if mount target deletions occurred immediately beforehand (expected lifecycle) or unexpectedly earlier (possibly suspicious when paired with other anomalies).
 56
 57- **Correlate with broader account activity**
 58  - Pivot in CloudTrail on:
 59    - The same access key or session
 60    - The same EFS file system ID
 61  - Look for:
 62    - Privilege escalation (new policy attachments, role assumptions)
 63    - Lateral movement (SSM sessions, unusual EC2 access)
 64    - Signs of cleanup or anti-forensics (CloudWatch log group deletions, RDS snapshot deletions)
 65    - Network isolation actions (security-group or NACL updates)
 66
 67- **Validate with owners**
 68  - Confirm with application or infrastructure teams:
 69    - Whether the deletion was planned, approved, or part of an environment teardown
 70    - Whether a migration or infrastructure rotation is in progress
 71    - Whether the deleted file system contained production or sensitive workloads
 72
 73### False positive analysis
 74
 75- **Expected teardown activity**
 76  - Some pipelines (Terraform, CloudFormation, CDK, custom IaC) delete file systems as part of environment rotation or decommissioning.
 77  - Add exceptions for known automation roles or environment tags (e.g., `Environment=Dev`).
 78
 79- **Ephemeral test environments**
 80  - Development, QA, or integration test accounts may routinely create and destroy EFS file systems.
 81  - Suppress events for non-production accounts where destructive operations are normal.
 82
 83- **Automated housekeeping**
 84  - Internal tooling or lifecycle processes may remove unused EFS resources.
 85  - Identify automation roles and use exceptions based on `aws.cloudtrail.user_identity.arn` or `user_agent.original`.
 86
 87### Response and remediation
 88
 89- **Contain and secure**
 90  - If unauthorized, revoke or disable the credentials used for the deletion.
 91  - Review CloudTrail for additional destructive or privilege-escalating operations from the same actor.
 92  - Validate whether any associated compute workloads (EC2, ECS, Lambda) show compromise indicators.
 93
 94- **Assess impact**
 95  - Identify workloads impacted by the file system deletion.
 96  - Determine whether alternate backups exist (EFS-to-EFS Backup, AWS Backup vaults).
 97  - Evaluate operational disruption and data-loss implications, especially for compliance-bound data.
 98
 99- **Recover (if possible)**
100  - Restore from AWS Backup if a protected resource existed.
101  - Rebuild infrastructure dependencies that relied on the deleted file system.
102
103- **Hardening and prevention**
104  - Restrict use of `elasticfilesystem:DeleteFileSystem` to tightly controlled IAM roles.
105  - Use IAM conditions (e.g., `aws:PrincipalArn`, `aws:SourceIp`, `aws:RequestedRegion`) to limit destructive operations.
106  - Ensure AWS Backup policies include EFS resources with sufficient retention.
107  - Use AWS Config or Security Hub controls to detect:
108    - EFS file systems without backup plans
109    - Unexpected changes to file system policies
110
111### Additional information
112- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
113- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
114- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
115"""
116references = [
117    "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html",
118    "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html",
119]
120risk_score = 47
121rule_id = "536997f7-ae73-447d-a12d-bff1e8f5f0a0"
122severity = "medium"
123tags = [
124    "Domain: Cloud",
125    "Data Source: AWS",
126    "Data Source: Amazon Web Services",
127    "Data Source: AWS EFS",
128    "Tactic: Impact",
129    "Resources: Investigation Guide",
130]
131timestamp_override = "event.ingested"
132type = "query"
133
134query = '''
135event.dataset: "aws.cloudtrail" 
136    and event.provider: "elasticfilesystem.amazonaws.com" 
137    and event.action: "DeleteFileSystem" 
138    and event.outcome: "success"
139'''
140
141
142[[rule.threat]]
143framework = "MITRE ATT&CK"
144[[rule.threat.technique]]
145id = "T1485"
146name = "Data Destruction"
147reference = "https://attack.mitre.org/techniques/T1485/"
148
149
150[rule.threat.tactic]
151id = "TA0040"
152name = "Impact"
153reference = "https://attack.mitre.org/tactics/TA0040/"
154
155[rule.investigation_fields]
156field_names = [
157    "@timestamp",
158    "user.name",
159    "user_agent.original",
160    "source.ip",
161    "aws.cloudtrail.user_identity.arn",
162    "aws.cloudtrail.user_identity.type",
163    "aws.cloudtrail.user_identity.access_key_id",
164    "event.action",
165    "event.outcome",
166    "cloud.account.id",
167    "cloud.region",
168    "aws.cloudtrail.request_parameters"
169]