Skip to content
Threat Feed
medium advisory

AWS Config Resource Deletion for Defense Evasion

An adversary may delete AWS Config resources to evade detection, hide prior activity, or weaken governance controls, which reduces security visibility and auditability within an AWS environment.

AWS Config provides continuous visibility into resource configuration changes and compliance posture across an account. Attackers may attempt to delete AWS Config resources to evade detection, hide prior activity, or weaken governance controls before or after other malicious actions. This activity, if successful, significantly reduces security visibility and auditability. This behavior is uncommon outside of planned infrastructure changes and should be considered high-risk when unexpected. The rule focuses on the successful deletion of AWS Config resources. The AWS environment is a common target, as its misconfiguration or compromise can lead to widespread data breaches and system outages.

Attack Chain

  1. An attacker gains initial access to an AWS account through compromised credentials or a misconfigured IAM role.
  2. The attacker enumerates existing AWS Config resources, such as configuration recorders, delivery channels, and config rules, to identify targets for deletion.
  3. The attacker attempts to delete AWS Config resources using the AWS CLI, SDK, or management console. Specific API calls include DeleteConfigRule, DeleteDeliveryChannel, and DeleteConfigurationRecorder.
  4. The attacker modifies IAM policies to weaken restrictions around Config service actions, if necessary, to facilitate successful deletion.
  5. The attacker verifies the deletion of Config resources by checking the AWS Management Console or using the AWS CLI to confirm the absence of the targeted resources.
  6. The attacker performs other malicious actions, such as deploying unauthorized resources or exfiltrating data, while evading detection due to the disabled Config service.

Impact

Successful deletion of AWS Config resources impairs an organization's ability to monitor configuration changes, detect compliance violations, and conduct forensic investigations. This can lead to delayed detection of security incidents, increased risk of data breaches, and difficulty in maintaining regulatory compliance. The number of affected organizations is difficult to quantify, but the impact on each can be significant, potentially leading to data loss, financial penalties, and reputational damage.

Recommendation

  • Deploy the Sigma rule AWS Config Resource Deletion to detect unauthorized attempts to delete AWS Config resources using CloudTrail logs.
  • Enable AWS Config rules or Security Hub controls to alert when Config is disabled or degraded, providing an additional layer of monitoring.
  • Review IAM permissions to ensure only a minimal, well-defined set of roles can manage AWS Config.
  • Use SCPs or IAM conditions to restrict deletion of Config resources in production and security accounts, preventing unauthorized modifications.

Detection coverage 2

AWS Config Resource Deletion

medium

Detects attempts to delete AWS Config resources via CloudTrail logs.

sigma tactics: defense_evasion techniques: T1562.001, T1562.008 sources: cloudtrail, aws

AWS Config Configuration Recorder Deletion

medium

Detects attempts to delete AWS Config Configuration Recorder via CloudTrail logs.

sigma tactics: defense_evasion techniques: T1562.001, T1562.008 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →