legitimate teardown or environment decommissioning processes may delete efs file systems. verify whether the calling user, role, automation system, or ci/cd workflow is expected to perform destructive actions in the affected account. file system deletions by unfamiliar identities, from unusual ip addresses, or occurring outside approved change windows should be carefully reviewed. if known automation routinely deletes ephemeral test file systems, consider adding scoped exceptions.

t1485
aws
elastic

Techniques

T1485

Sample rules

AWS EFS File System Deleted

source: elastic
technicques:
- T1485

Description

Identifies the deletion of an Amazon EFS file system using the “DeleteFileSystem” API operation. Deleting an EFS file system permanently removes all stored data and cannot be reversed. This action is rare in most environments and typically limited to controlled teardown workflows. Adversaries with sufficient permissions may delete a file system to destroy evidence, disrupt workloads, or impede recovery efforts.

Detection logic

event.dataset: "aws.cloudtrail" 
    and event.provider: "elasticfilesystem.amazonaws.com" 
    and event.action: "DeleteFileSystem" 
    and event.outcome: "success"