AWS Lambda Function Deletion

  1[metadata]
  2creation_date = "2026/06/18"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the deletion of an AWS Lambda function. Deleting a function removes its code, configuration, versions, and
 11aliases. Adversaries may delete functions to disrupt business operations and automated workflows, to destroy
 12attacker-deployed backdoors and remove evidence after achieving their objective, or to inhibit incident response.
 13Because function deletion is destructive and often irreversible without redeployment, deletions performed by unexpected
 14principals or outside change windows should be reviewed.
 15"""
 16false_positives = [
 17    """
 18    Lambda functions are routinely deleted during application decommissioning, environment teardown, and
 19    infrastructure-as-code apply/destroy cycles. Verify whether the principal in `aws.cloudtrail.user_identity.arn` and
 20    the deleted function are expected for the workload, and whether the change aligns with an approved maintenance or
 21    deployment window. Known deployment roles and automation can be excluded after validation.
 22    """,
 23]
 24from = "now-6m"
 25index = ["logs-aws.cloudtrail-*"]
 26interval = "5m"
 27language = "kuery"
 28license = "Elastic License v2"
 29name = "AWS Lambda Function Deletion"
 30note = """## Triage and analysis
 31
 32### Investigating AWS Lambda Function Deletion
 33
 34Deleting an AWS Lambda function removes its code, configuration, published versions, and aliases. This can be a destructive action that disrupts serverless workloads and automation, or a cleanup step an adversary uses to remove a backdoor function and erase evidence after their objective is met.
 35
 36This rule detects successful `DeleteFunction` calls. Investigate whether the principal and the deleted function are expected, and whether the deletion correlates with other suspicious activity.
 37
 38#### Possible investigation steps
 39
 40- Identify the actor in `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type`, and review `source.ip` and `user_agent.original` to determine how the deletion was performed (console, CLI, SDK, automation).
 41- Inspect `aws.cloudtrail.request_parameters` for the `functionName` and map it to its application, owner, and environment (prod, staging, dev).
 42- Determine whether the deletion aligns with an approved change, decommissioning, or infrastructure-as-code destroy operation by comparing `@timestamp` against deployment and change-management records.
 43- Correlate with recent activity by the same principal or access key, such as `CreateFunction`, `UpdateFunctionCode`, `AddPermission`, `CreateEventSourceMapping`, log-group deletions, or other destructive or evasive actions.
 44- Verify whether multiple functions were deleted in a short window, which may indicate broad disruption rather than a single planned change.
 45
 46### False positive analysis
 47
 48- Function deletions are common during decommissioning and infrastructure-as-code apply/destroy cycles. Deletions by approved deployment roles, CI/CD pipelines, or platform automation are expected. Tune on `aws.cloudtrail.user_identity.arn`, `user_agent.original`, or known automation roles after validation.
 49
 50### Response and remediation
 51
 52- If the deletion is unauthorized, restore the function from source control or an infrastructure-as-code definition and confirm its code, configuration, and execution role match a known-good state.
 53- Review CloudTrail for related destructive or evasive actions by the same actor and assess operational impact.
 54- Rotate or restrict credentials for the principal if compromise is suspected, and constrain `lambda:DeleteFunction` to a small set of trusted roles.
 55
 56### Additional information
 57
 58- [DeleteFunction API](https://docs.aws.amazon.com/lambda/latest/api/API_DeleteFunction.html)
 59"""
 60references = [
 61    "https://docs.aws.amazon.com/lambda/latest/api/API_DeleteFunction.html",
 62    "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html",
 63]
 64risk_score = 21
 65rule_id = "bb3ac0e3-2c9c-4069-a26d-75ca6a6e547b"
 66severity = "low"
 67tags = [
 68    "Domain: Cloud",
 69    "Data Source: AWS",
 70    "Data Source: Amazon Web Services",
 71    "Data Source: AWS Lambda",
 72    "Use Case: Threat Detection",
 73    "Tactic: Impact",
 74    "Resources: Investigation Guide",
 75]
 76timestamp_override = "event.ingested"
 77type = "query"
 78
 79query = '''
 80data_stream.dataset: "aws.cloudtrail"
 81    and event.provider: "lambda.amazonaws.com"
 82    and event.action: (DeleteFunction or DeleteFunction20*)
 83    and event.outcome: "success"
 84'''
 85
 86
 87[[rule.threat]]
 88framework = "MITRE ATT&CK"
 89[[rule.threat.technique]]
 90id = "T1485"
 91name = "Data Destruction"
 92reference = "https://attack.mitre.org/techniques/T1485/"
 93
 94[[rule.threat.technique]]
 95id = "T1489"
 96name = "Service Stop"
 97reference = "https://attack.mitre.org/techniques/T1489/"
 98
 99
100[rule.threat.tactic]
101id = "TA0040"
102name = "Impact"
103reference = "https://attack.mitre.org/tactics/TA0040/"
104
105[rule.investigation_fields]
106field_names = [
107    "@timestamp",
108    "user.name",
109    "user_agent.original",
110    "source.ip",
111    "aws.cloudtrail.user_identity.arn",
112    "aws.cloudtrail.user_identity.type",
113    "aws.cloudtrail.user_identity.access_key_id",
114    "aws.cloudtrail.user_identity.session_context.session_issuer.arn",
115    "aws.cloudtrail.request_parameters",
116    "aws.cloudtrail.response_elements",
117    "event.action",
118    "event.outcome",
119    "cloud.account.id",
120    "cloud.region",
121]