AWS IAM Group Deletion

 1[metadata]
 2creation_date = "2020/05/21"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource
11group does not delete resources that are members of the group; it only deletes the group structure.
12"""
13false_positives = [
14    """
15    A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or
16    hostname should be making changes in your environment. Resource group deletions by unfamiliar users or hosts should
17    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
18    """,
19]
20from = "now-60m"
21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
22interval = "10m"
23language = "kuery"
24license = "Elastic License v2"
25name = "AWS IAM Group Deletion"
26note = """## Triage and analysis
27
28> **Disclaimer**:
29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
30
31### Investigating AWS IAM Group Deletion
32
33AWS IAM groups facilitate user management by organizing users with similar permissions. Adversaries might exploit group deletion to disrupt access controls, potentially leading to unauthorized access or service disruption. The detection rule monitors successful group deletions via AWS CloudTrail, flagging potential misuse by correlating specific IAM actions and outcomes, thus aiding in timely threat identification.
34
35### Possible investigation steps
36
37- Review the AWS CloudTrail logs to identify the user or role that performed the DeleteGroup action by examining the userIdentity field.
38- Check the event time to determine when the group deletion occurred and correlate it with any other suspicious activities around the same timeframe.
39- Investigate the specific IAM group that was deleted to understand its purpose and the permissions it granted by reviewing historical IAM policies and group membership.
40- Assess the impact of the group deletion by identifying any users or services that might have been affected due to the loss of group-based permissions.
41- Verify if the group deletion was authorized by cross-referencing with change management records or contacting the responsible team or individual.
42- Look for any patterns or repeated occurrences of similar actions in the logs to identify potential malicious behavior or misconfigurations.
43
44### False positive analysis
45
46- Routine administrative tasks may trigger alerts when IAM groups are deleted as part of regular maintenance or restructuring. To manage this, create exceptions for known maintenance periods or specific administrative accounts.
47- Automated scripts or tools that manage IAM resources might delete groups as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using specific user or role identifiers.
48- Temporary groups created for short-term projects or testing purposes might be deleted frequently. Document these groups and exclude their deletion from monitoring by using naming conventions or tags.
49- Changes in organizational structure or policy might necessitate the deletion of certain groups. Coordinate with relevant teams to anticipate these changes and adjust monitoring rules accordingly.
50
51### Response and remediation
52
53- Immediately revoke any active sessions and access keys for users who were part of the deleted IAM group to prevent unauthorized access.
54- Restore the deleted IAM group from a backup or recreate it with the same permissions to ensure continuity of access for legitimate users.
55- Conduct a review of recent IAM activity logs to identify any unauthorized or suspicious actions that may have preceded the group deletion.
56- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
57- Implement additional monitoring on IAM activities, especially focusing on group management actions, to detect similar threats in the future.
58- Review and tighten IAM policies and permissions to ensure that only authorized personnel can delete IAM groups.
59- If malicious intent is suspected, escalate the incident to the incident response team for a comprehensive investigation and potential legal action.
60
61## Setup
62
63The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
64references = [
65    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html",
66    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html",
67]
68risk_score = 21
69rule_id = "867616ec-41e5-4edc-ada2-ab13ab45de8a"
70severity = "low"
71tags = [
72    "Domain: Cloud",
73    "Data Source: AWS",
74    "Data Source: Amazon Web Services",
75    "Data Source: AWS IAM",
76    "Tactic: Impact",
77    "Resources: Investigation Guide",
78]
79timestamp_override = "event.ingested"
80type = "query"
81
82query = '''
83event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success
84'''
85
86
87[[rule.threat]]
88framework = "MITRE ATT&CK"
89[[rule.threat.technique]]
90id = "T1531"
91name = "Account Access Removal"
92reference = "https://attack.mitre.org/techniques/T1531/"
93
94
95[rule.threat.tactic]
96id = "TA0040"
97name = "Impact"
98reference = "https://attack.mitre.org/tactics/TA0040/"