AWS EventBridge Rule Disabled or Deleted
Detection of Amazon EventBridge rule disabling or deletion events, which can disrupt operational workflows and security monitoring.
This detection identifies when an Amazon EventBridge rule is disabled or deleted. EventBridge rules automate operational workflows and forward security-relevant events to services like Lambda, SNS, or security tools. Disabling or deleting a rule can break integrations, suppress detections, and reduce visibility, potentially allowing adversaries to impair monitoring, delay incident response, or hide malicious activity. The actions of DeleteRule or DisableRule are monitored to identify suspicious activity related to event rules within AWS environments.
Attack Chain
- An attacker gains access to an AWS account with sufficient permissions to manage EventBridge rules, potentially through compromised credentials or an IAM role with excessive privileges.
- The attacker enumerates existing EventBridge rules to identify those that are critical for security monitoring or incident response.
- The attacker executes the
DisableRuleAPI call to temporarily stop a targeted EventBridge rule from processing events. - Alternatively, the attacker executes the
DeleteRuleAPI call to permanently remove the targeted EventBridge rule. - The CloudTrail logs record the
DisableRuleorDeleteRuleevent, including the user identity, timestamp, and affected rule details. - If the deleted or disabled rule was responsible for forwarding security events (e.g., CloudTrail findings, GuardDuty alerts) to a SIEM or other security tool, the flow of alerts is disrupted.
- The attacker leverages the gap in monitoring to perform further malicious activities within the AWS environment without immediate detection.
- The final objective is to maintain persistence, escalate privileges, or exfiltrate data without triggering alerts, taking advantage of the disabled or deleted EventBridge rule.
Impact
Disabling or deleting EventBridge rules can disrupt critical security monitoring and incident response workflows, creating blind spots in detection coverage. Depending on the affected rule, this can lead to delayed detection of security incidents, allowing attackers to perform malicious activities undetected. A successful attack could lead to data breaches, unauthorized access to resources, or other security compromises. The severity of the impact depends on the criticality of the disabled or deleted rule and the scope of its responsibilities.
Recommendation
- Deploy the Sigma rule provided to detect
DeleteRuleorDisableRuleevents within CloudTrail logs, and tune it to your environment. - Restrict
events:DisableRuleandevents:DeleteRulepermissions to a small set of administrative roles using IAM conditions to reduce the likelihood of silent impairment. - Monitor
aws.cloudtrail.user_identity.arnandaws.cloudtrail.user_identity.access_key_idto identify which principal performed the change. - Restore critical rules immediately by re-enabling disabled rules or recreating deleted rules from known-good baselines if the activity is unauthorized.
Detection coverage 2
AWS EventBridge Rule Disabled or Deleted via CloudTrail
lowDetects when an Amazon EventBridge rule is disabled or deleted via AWS CloudTrail logs.
AWS EventBridge DeleteRule with specific User Agent
mediumDetects DeleteRule events from AWS EventBridge with suspicious User Agent.
Detection queries are available on the platform. Get full rules →