IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« AWS CloudWatch Log Stream Deletion AWS Configuration Recorder Stopped »

› › ›

AWS Config Service Tampering

edit

AWS Config Service Tampering

edit

Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.

Rule type: query

Rule indices:

filebeat-*
logs-aws*

Severity: medium

Risk score: 47

Runs every: 10 minutes

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Cloud
AWS
Continuous Monitoring
SecOps
Monitoring

Version: 6 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.13.0

Rule authors: Elastic, Austin Songer

Rule license: Elastic License v2

Potential false positives

edit

Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service.

Investigation guide

edit

## Config

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule query

edit

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com
and event.action:(DeleteConfigRule or DeleteOrganizationConfigRule
or DeleteConfigurationAggregator or DeleteConfigurationRecorder or
DeleteConformancePack or DeleteOrganizationConformancePack or
DeleteDeliveryChannel or DeleteRemediationConfiguration or
DeleteRetentionConfiguration)

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/

Rule version history

edit

Version 6 (7.13.0 release)

Updated query, changed from:

event.dataset: aws.cloudtrail and event.action: DeleteConfigRule and
event.provider: config.amazonaws.com

Version 5 (7.12.0 release)

Formatting only

Version 4 (7.11.2 release)

Formatting only

Version 3 (7.11.0 release)

Formatting only

Version 2 (7.10.0 release)

Formatting only

« AWS CloudWatch Log Stream Deletion AWS Configuration Recorder Stopped »