AWS Route 53 Resolver Query Log Configuration Deleted
Detection of the deletion of an Amazon Route 53 Resolver Query Log Configuration, potentially stopping DNS query and response logging for associated VPCs, which can be used by adversaries to evade detection and suppress forensic evidence.
Amazon Route 53 Resolver query logs offer crucial insights into DNS activity across VPCs, encompassing lookups from EC2 instances, containers, and Lambda functions. The deletion of a query log configuration immediately halts DNS query and response logging for the associated VPC, creating a monitoring gap. This activity is often associated with defense evasion, where attackers attempt to remove logging to obscure their actions. This detection identifies successful invocations of the DeleteResolverQueryLogConfig API call within AWS CloudTrail logs. The scope of impact can range from individual VPCs to entire AWS environments, depending on the breadth of the deleted configuration. Defenders should prioritize investigation to determine whether the deletion was authorized and to identify potential malicious activity that may have been obscured.
Attack Chain
- An attacker gains unauthorized access to an AWS account with sufficient privileges.
- The attacker uses compromised credentials or an IAM role to interact with the AWS Management Console, CLI, or SDK.
- The attacker identifies a Route 53 Resolver Query Log Configuration that is actively logging DNS queries for one or more VPCs.
- The attacker invokes the
DeleteResolverQueryLogConfigAPI call, specifying the ID of the target query log configuration. - AWS CloudTrail logs the
DeleteResolverQueryLogConfigevent with a successful outcome. - DNS query and response logging immediately ceases for the VPCs associated with the deleted configuration.
- The attacker performs malicious activities, such as DNS tunneling or command and control communication, without being logged.
- The attacker achieves their final objective, such as data exfiltration or system compromise, without detection via DNS logs.
Impact
A successful attack can lead to a significant reduction in DNS visibility across affected VPCs. Depending on the scope, this can impact a few resources or an entire AWS environment. The immediate consequence is the cessation of DNS query logging, which can obscure ongoing malicious activity, such as command-and-control communication, data exfiltration attempts, or reconnaissance efforts. The lack of DNS data hinders incident response and forensic investigations, making it difficult to identify the scope and impact of the attack.
Recommendation
- Deploy the Sigma rule
AWS Route 53 Resolver Query Log Configuration Deletedto your SIEM and tune for your environment. - Review IAM permissions and restrict the
route53resolver:DeleteResolverQueryLogConfigaction to a minimal set of privileged roles. - Enable AWS Config rules to detect and alert on missing or deleted Route 53 Resolver Query Log Configurations.
- Investigate any deletion of Resolver Query Log Configurations to determine if it was authorized and corresponds to expected operational changes.
- Monitor
aws.cloudtrail.user_identity.arnfor any unusual IAM roles or user accounts performing the deletion action as identified in the Sigma rule. - Re-create the deleted Resolver Query Log Configuration and re-associate it with the affected VPCs to restore DNS visibility immediately.
Detection coverage 2
AWS Route 53 Resolver Query Log Configuration Deleted
mediumDetects the deletion of an Amazon Route 53 Resolver Query Log Configuration.
AWS Route53 Resolver Query Log Config Deletion by Unusual User
highDetects Route53 Resolver Query Log Config Deletion by a user that doesn't usually modify Route53 Resolver resources
Detection queries are available on the platform. Get full rules →