AWS Config Resource Deletion for Defense Evasion
An adversary may delete AWS Config resources to evade detection, hide prior activity, or weaken governance controls, which reduces security visibility and auditability within an AWS environment.
AWS Config provides continuous visibility into resource configuration changes and compliance posture across an account. Attackers may attempt to delete AWS Config resources to evade detection, hide prior activity, or weaken governance controls before or after other malicious actions. This activity, if successful, significantly reduces security visibility and auditability. This behavior is uncommon outside of planned infrastructure changes and should be considered high-risk when unexpected. The rule focuses on the successful deletion of AWS Config resources. The AWS environment is a common target, as its misconfiguration or compromise can lead to widespread data breaches and system outages.
Attack Chain
- An attacker gains initial access to an AWS account through compromised credentials or a misconfigured IAM role.
- The attacker enumerates existing AWS Config resources, such as configuration recorders, delivery channels, and config rules, to identify targets for deletion.
- The attacker attempts to delete AWS Config resources using the AWS CLI, SDK, or management console. Specific API calls include
DeleteConfigRule,DeleteDeliveryChannel, andDeleteConfigurationRecorder. - The attacker modifies IAM policies to weaken restrictions around Config service actions, if necessary, to facilitate successful deletion.
- The attacker verifies the deletion of Config resources by checking the AWS Management Console or using the AWS CLI to confirm the absence of the targeted resources.
- The attacker performs other malicious actions, such as deploying unauthorized resources or exfiltrating data, while evading detection due to the disabled Config service.
Impact
Successful deletion of AWS Config resources impairs an organization's ability to monitor configuration changes, detect compliance violations, and conduct forensic investigations. This can lead to delayed detection of security incidents, increased risk of data breaches, and difficulty in maintaining regulatory compliance. The number of affected organizations is difficult to quantify, but the impact on each can be significant, potentially leading to data loss, financial penalties, and reputational damage.
Recommendation
- Deploy the Sigma rule
AWS Config Resource Deletionto detect unauthorized attempts to delete AWS Config resources using CloudTrail logs. - Enable AWS Config rules or Security Hub controls to alert when Config is disabled or degraded, providing an additional layer of monitoring.
- Review IAM permissions to ensure only a minimal, well-defined set of roles can manage AWS Config.
- Use SCPs or IAM conditions to restrict deletion of Config resources in production and security accounts, preventing unauthorized modifications.
Detection coverage 2
AWS Config Resource Deletion
mediumDetects attempts to delete AWS Config resources via CloudTrail logs.
AWS Config Configuration Recorder Deletion
mediumDetects attempts to delete AWS Config Configuration Recorder via CloudTrail logs.
Detection queries are available on the platform. Get full rules →