authorized administrators may temporarily stop the aws config recorder during planned maintenance, account restructuring, or controlled configuration changes. automated infrastructure or compliance tooling may also stop and restart the recorder as part of setup or teardown workflows. activity outside of documented change windows or from unexpected identities should be investigated.

t1562
aws
elastic

Techniques

T1562

Sample rules

AWS Configuration Recorder Stopped

source: elastic
technicques:
- T1562

Description

Identifies when an AWS Config configuration recorder is stopped. AWS Config recorders continuously track and record configuration changes across supported AWS resources. Stopping the recorder immediately reduces visibility into infrastructure changes and can be abused by adversaries to evade detection, obscure follow-on activity, or weaken compliance and security monitoring controls.

Detection logic

event.dataset: aws.cloudtrail 
    and event.provider: config.amazonaws.com 
    and event.action: StopConfigurationRecorder 
    and event.outcome: success