AWS Config Service Tampering
editAWS Config Service Tampering
editIdentifies attempts to delete an AWS Config Service rule. An adversary may tamper with Config rules in order to reduce visibility into the security posture of an account and/or its workload instances.
Rule type: query
Rule indices:
- filebeat-*
- logs-aws*
Severity: medium
Risk score: 47
Runs every: 10 minutes
Searches indices from: now-60m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Cloud
- AWS
- Continuous Monitoring
- SecOps
- Monitoring
Version: 4 (version history)
Added (Elastic Stack release): 7.9.0
Last modified (Elastic Stack release): 7.11.2
Rule authors: Elastic
Rule license: Elastic License
Potential false positives
editPrivileged IAM users with security responsibilities may make changes to the Config rules in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, when they are used to automate setup or configuration of AWS accounts. Other types of user or service contexts do not commonly make changes to this service.
Investigation guide
editThe AWS Filebeat module must be enabled to use this rule.
Rule query
editevent.dataset: aws.cloudtrail and event.action: DeleteConfigRule and event.provider: config.amazonaws.com
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/
Rule version history
edit- Version 4 (7.11.2 release)
-
- Formatting only
- Version 3 (7.11.0 release)
-
- Formatting only
- Version 2 (7.10.0 release)
-
- Formatting only