cloudwatch log group deletions may occur during normal maintenance or infrastructure re-deployments, especially in environments managed by iac tools (e.g., terraform, cloudformation, cdk). automation pipelines may recreate log groups as part of expected workflows. verify that the identity, user agent, and source ip match approved administrative or automation activity. if deletions are routine for specific automation roles or ci/cd hosts, consider adding scoped exceptions.

t1485
t1562
aws
elastic

Techniques

T1485
T1562

Sample rules

AWS CloudWatch Log Group Deletion

source: elastic
technicques:
- T1485
- T1562

Description

Detects the deletion of an Amazon CloudWatch Log Group using the “DeleteLogGroup” API. CloudWatch log groups store operational and security logs for AWS services and custom applications. Deleting a log group permanently removes all associated log streams and historical log data, which can eliminate forensic evidence and disrupt security monitoring pipelines. Adversaries may delete log groups to conceal malicious activity, disable log forwarding, or impede incident response.

Detection logic

event.dataset: "aws.cloudtrail" 
  and event.provider: "logs.amazonaws.com" 
  and event.action: "DeleteLogGroup" 
  and event.outcome: "success"
  and source.ip: * 
  and not user_agent.original : "AWS Internal"