Skip to content
Threat Feed
high advisory

AWS Backup Vault Deleted or Vault Lock Removed

An adversary is detected performing anti-recovery actions in AWS Backup by deleting backup vaults or removing their Vault Lock configurations via the DeleteBackupVault or DeleteBackupVaultLockConfiguration API calls, serving as a strong precursor to ransomware or data destruction, preventing organizations from restoring critical data.

This threat brief details the detection of critical anti-recovery actions within Amazon Web Services (AWS) Backup. Adversaries who have gained unauthorized access to an AWS environment may invoke the DeleteBackupVault or DeleteBackupVaultLockConfiguration API calls. These actions are highly impactful because they target an organization's ability to recover from data loss incidents. Removing a Vault Lock defeats the immutability policy designed to protect backups from premature deletion, while deleting an entire backup vault irrevocably destroys all contained recovery points. These activities are rarely observed in legitimate operations and serve as strong indicators of an imminent or ongoing ransomware attack, data destruction, or an attempt to cover tracks following data exfiltration. The threat specifically targets the AWS Backup service, aiming to eliminate recovery options and exacerbate the impact of malicious activity.

Attack Chain

  1. An adversary obtains valid AWS credentials (e.g., IAM user, role access key) through various initial access vectors, gaining unauthorized access to the target AWS account.
  2. The adversary enumerates AWS resources to identify critical AWS Backup vaults containing recovery points that need to be neutralized.
  3. To overcome existing immutability policies, the adversary executes the DeleteBackupVaultLockConfiguration API call to remove the governance-mode lock from a targeted backup vault.
  4. Subsequently, the adversary executes the DeleteBackupVault API call to entirely delete the identified backup vault and its associated recovery points.
  5. These API calls are specifically chosen and executed to prevent the victim organization from restoring data from backups.
  6. The ultimate objective is to inhibit system recovery, making the organization more susceptible to ransomware demands, facilitating data destruction, or covering tracks for data exfiltration.

Impact

The primary impact of successfully deleting AWS Backup vaults or removing Vault Locks is the catastrophic loss of an organization's ability to recover from data loss, ransomware attacks, or accidental deletion. This renders critical data irretrievable, leading to prolonged downtime, significant financial losses due to operational disruption and potential ransom payments, and severe reputational damage. The inability to restore from backups can force organizations to pay ransoms, rebuild systems from scratch, or permanently lose vital business data. While no specific victim counts or sectors are provided in the source, any organization leveraging AWS Backup for disaster recovery is vulnerable.

Recommendation

  • Deploy the provided Sigma rule "AWS Backup Vault Deleted or Vault Lock Removed" to your SIEM and tune it for your environment.
  • Ensure AWS CloudTrail management events for AWS Backup are enabled and ingested into your security monitoring platform to activate the rule.
  • Implement strict Identity and Access Management (IAM) policies that restrict backup:DeleteBackupVault and backup:DeleteBackupVaultLockConfiguration permissions to only highly privileged, break-glass roles.
  • Regularly audit access to AWS credentials, especially those identified in aws.cloudtrail.user_identity.arn, and review source.ip and user_agent.original for suspicious origins when this detection triggers.
  • In the event of a detection, immediately review the affected vault from aws.cloudtrail.request_parameters and determine if it contained recovery points, then secure remaining recovery points and re-apply Vault Lock if unauthorized.

Detection coverage 1

AWS Backup Vault Deleted or Vault Lock Removed

high

Detects attempts by non-service principals to delete an AWS Backup vault or remove its Vault Lock configuration, which are critical anti-recovery actions often associated with ransomware or data destruction.

sigma tactics: defense_evasion, impact techniques: T1490, T1562 sources: cloudtrail

Detection queries are available on the platform. Get full rules →