privileged iam users with security responsibilities may be expected to make changes to the config service in order to align with local security policies and requirements. automation, orchestration, and security tools may also make changes to the config service, where they are used to automate setup or configuration of aws accounts. other kinds of user or service contexts do not commonly make changes to this service.

t1562
aws
elastic

Techniques

T1562

Sample rules

AWS Config Resource Deletion

source: elastic
technicques:
- T1562

Description

Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.

Detection logic

event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and
    event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or
    DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or
    DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)