deletion of aws config resources may occur during legitimate account restructuring, environment teardown, or changes to compliance tooling. centralized security teams or approved automation may also delete and recreate config components as part of controlled workflows. confirm that the action aligns with approved change management and was performed by an expected principal.

Techniques

T1562

Sample rules

AWS Config Resource Deletion

source: elastic
technicques:
- T1562

Description

Identifies attempts to delete AWS Config resources. AWS Config provides continuous visibility into resource configuration changes and compliance posture across an account. Deleting Config components can significantly reduce security visibility and auditability. Adversaries may delete or disable Config resources to evade detection, hide prior activity, or weaken governance controls before or after other malicious actions.

Detection logic

event.dataset: aws.cloudtrail 
    and event.provider: config.amazonaws.com 
    and event.outcome: success
    and event.action: (DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or
    DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or
    DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)
    and not aws.cloudtrail.user_identity.invoked_by: (securityhub.amazonaws.com or fms.amazonaws.com or controltower.amazonaws.com or config-conforms.amazonaws.com)