AWS VPC Flow Logs Deletion
An adversary may delete flow logs in AWS EC2 using the DeleteFlowLogs API to evade defenses and hinder security monitoring, impacting incident response and log auditing capabilities.
This rule detects the deletion of VPC flow logs in Amazon Web Services Elastic Compute Cloud (EC2). Flow logs capture information about IP traffic going to and from network interfaces within a VPC, and their deletion can severely impact security monitoring and incident response. An attacker may delete these logs to cover their tracks, making it difficult to detect and investigate malicious activity. This activity is detected via the DeleteFlowLogs API action. This poses a risk to organizations relying on VPC flow logs for auditing and security analysis, hindering their ability to identify and respond to potential security incidents.
Attack Chain
- An attacker gains unauthorized access to an AWS account with sufficient privileges.
- The attacker enumerates existing VPC flow logs using AWS APIs or CLI tools.
- The attacker identifies the flow logs they want to delete to cover their tracks.
- The attacker uses the
DeleteFlowLogsAPI action to initiate the deletion of the targeted flow logs. - AWS EC2 service processes the
DeleteFlowLogsAPI request. - The targeted flow logs are permanently deleted from the configured storage location (CloudWatch Logs or S3).
- Security monitoring and alerting systems relying on flow log data are rendered ineffective for the period covered by the deleted logs.
- The attacker continues their malicious activities, now with a reduced risk of detection due to the absence of flow log data.
Impact
Successful deletion of VPC flow logs can severely impair an organization's ability to detect and respond to security incidents. The absence of flow log data hinders network traffic analysis, anomaly detection, and forensic investigations. This can lead to delayed incident response, increased dwell time for attackers, and potential data breaches. The impact is especially significant for organizations that rely heavily on VPC flow logs for compliance and security auditing. The rule is rated high severity (73) because it directly impacts an organization's visibility into its network traffic.
Recommendation
- Deploy the Sigma rule "AWS VPC Flow Logs Deletion" to your SIEM and tune for your environment to detect this activity (see rule below).
- Investigate any detected instances of
DeleteFlowLogsevents to determine if they are authorized and legitimate. - Review IAM policies to ensure the principle of least privilege is being followed, limiting the ability of users and roles to delete flow logs.
- Enable multi-factor authentication (MFA) for all AWS accounts, especially those with administrative privileges.
- Monitor CloudTrail logs for other suspicious activities associated with the user account that performed the
DeleteFlowLogsaction. - Implement AWS security best practices as outlined by AWS in their knowledge center to strengthen overall security posture (references).
Detection coverage 2
AWS VPC Flow Logs Deletion
highDetects the deletion of VPC flow logs via the DeleteFlowLogs API call in AWS CloudTrail logs.
AWS VPC Flow Logs Deletion by Specific User Agent
highDetects VPC flow logs deletion using a specific user agent, potentially indicating a compromised or malicious tool.
Detection queries are available on the platform. Get full rules →