<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS Backup - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-backup/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 15:54:50 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-backup/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Backup Recovery Point Deletion as Anti-Recovery Tactic</title><link>https://feed.craftedsignal.io/briefs/2026-07-aws-backup-recovery-point-deleted/</link><pubDate>Fri, 03 Jul 2026 15:54:50 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-aws-backup-recovery-point-deleted/</guid><description>Adversaries are leveraging the AWS Backup `DeleteRecoveryPoint` API call by non-service principals to remove critical data backups, a high-signal anti-recovery technique observed in ransomware and data-destruction attacks that prevents victims from restoring associated data.</description><content:encoded><![CDATA[<p>Threat actors are employing a critical anti-recovery technique by deleting AWS Backup recovery points via the <code>DeleteRecoveryPoint</code> API call. This action, when performed by a non-service principal (i.e., not the AWS Backup service itself), is a strong indicator of malicious activity. AWS Backup recovery points are essential for restoring various protected resources such as EBS volumes, RDS databases, DynamoDB tables, EFS file systems, and S3 buckets. The deletion of these recovery points is a core tactic in ransomware and data-destruction campaigns, as it directly compromises an organization's ability to recover data, thereby maximizing the impact of an attack and increasing pressure on victims. Defenders should prioritize detection and response to such events, investigating the involved principal, affected recovery points, and any correlation with other destructive or evasive activities to prevent irrecoverable data loss.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access / Privilege Escalation</strong>: An attacker gains unauthorized access to an AWS account, potentially via compromised credentials, misconfigured access policies, or vulnerability exploitation, and obtains sufficient privileges to interact with AWS Backup.</li>
<li><strong>Reconnaissance</strong>: The attacker identifies critical AWS Backup recovery points and their associated vaults, determining which protected resources (e.g., EBS, RDS, S3) are most valuable to target for disruption.</li>
<li><strong>Credential Usage</strong>: Using compromised AWS credentials (e.g., an IAM user or assumed role), the attacker authenticates to the AWS environment.</li>
<li><strong>Anti-Recovery Action</strong>: The attacker invokes the <code>DeleteRecoveryPoint</code> API call, specifying the recovery points to be removed.</li>
<li><strong>Backup Deletion</strong>: The AWS Backup service processes the malicious request and permanently deletes the specified recovery points from their respective vaults.</li>
<li><strong>Impact Maximization</strong>: The successful deletion prevents the target organization from restoring backed-up data, thereby maximizing the damage from subsequent data encryption or destruction, or increasing leverage in ransomware demands.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The observed deletion of AWS Backup recovery points has severe consequences, directly eliminating an organization's ability to restore critical data from backups. This technique is specifically designed to maximize the impact of ransomware or data-destruction attacks, often leading to significant operational disruption, irreversible data loss, and substantial financial costs associated with business interruption and recovery efforts. If multiple recovery points or entire vaults are targeted, the potential for widespread data unavailability across an organization's cloud infrastructure is high, rendering recovery attempts extremely difficult without external assistance or succumbing to attacker demands.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS Backup Recovery Point Deleted&quot; in this brief to your SIEM and tune for your environment, paying close attention to <code>aws.cloudtrail.user_identity.arn</code>.</li>
<li>Ensure AWS CloudTrail management events are enabled for AWS Backup and ingested into your SIEM for comprehensive monitoring, as required by the detection rule's <code>logsource</code>.</li>
<li>Rotate or restrict credentials for any principal identified in <code>aws.cloudtrail.user_identity.arn</code> if unauthorized <code>DeleteRecoveryPoint</code> activity is suspected.</li>
<li>Implement strong IAM and SCP policies to restrict <code>backup:DeleteRecoveryPoint</code> permissions to a very small set of trusted administrators only.</li>
<li>Preserve any remaining backups and consider enabling AWS Backup Vault Lock on critical vaults to prevent future deletions, referencing the <code>https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html</code> documentation.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>anti-recovery</category><category>ransomware</category><category>data-destruction</category></item><item><title>AWS Backup Vault Deleted or Vault Lock Removed</title><link>https://feed.craftedsignal.io/briefs/2026-07-aws-backup-vault-deleted-lock-removed/</link><pubDate>Fri, 03 Jul 2026 15:49:19 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-aws-backup-vault-deleted-lock-removed/</guid><description>An adversary is detected performing anti-recovery actions in AWS Backup by deleting backup vaults or removing their Vault Lock configurations via the DeleteBackupVault or DeleteBackupVaultLockConfiguration API calls, serving as a strong precursor to ransomware or data destruction, preventing organizations from restoring critical data.</description><content:encoded><![CDATA[<p>This threat brief details the detection of critical anti-recovery actions within Amazon Web Services (AWS) Backup. Adversaries who have gained unauthorized access to an AWS environment may invoke the <code>DeleteBackupVault</code> or <code>DeleteBackupVaultLockConfiguration</code> API calls. These actions are highly impactful because they target an organization's ability to recover from data loss incidents. Removing a Vault Lock defeats the immutability policy designed to protect backups from premature deletion, while deleting an entire backup vault irrevocably destroys all contained recovery points. These activities are rarely observed in legitimate operations and serve as strong indicators of an imminent or ongoing ransomware attack, data destruction, or an attempt to cover tracks following data exfiltration. The threat specifically targets the AWS Backup service, aiming to eliminate recovery options and exacerbate the impact of malicious activity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An adversary obtains valid AWS credentials (e.g., IAM user, role access key) through various initial access vectors, gaining unauthorized access to the target AWS account.</li>
<li>The adversary enumerates AWS resources to identify critical AWS Backup vaults containing recovery points that need to be neutralized.</li>
<li>To overcome existing immutability policies, the adversary executes the <code>DeleteBackupVaultLockConfiguration</code> API call to remove the governance-mode lock from a targeted backup vault.</li>
<li>Subsequently, the adversary executes the <code>DeleteBackupVault</code> API call to entirely delete the identified backup vault and its associated recovery points.</li>
<li>These API calls are specifically chosen and executed to prevent the victim organization from restoring data from backups.</li>
<li>The ultimate objective is to inhibit system recovery, making the organization more susceptible to ransomware demands, facilitating data destruction, or covering tracks for data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The primary impact of successfully deleting AWS Backup vaults or removing Vault Locks is the catastrophic loss of an organization's ability to recover from data loss, ransomware attacks, or accidental deletion. This renders critical data irretrievable, leading to prolonged downtime, significant financial losses due to operational disruption and potential ransom payments, and severe reputational damage. The inability to restore from backups can force organizations to pay ransoms, rebuild systems from scratch, or permanently lose vital business data. While no specific victim counts or sectors are provided in the source, any organization leveraging AWS Backup for disaster recovery is vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule &quot;AWS Backup Vault Deleted or Vault Lock Removed&quot; to your SIEM and tune it for your environment.</li>
<li>Ensure AWS CloudTrail management events for AWS Backup are enabled and ingested into your security monitoring platform to activate the rule.</li>
<li>Implement strict Identity and Access Management (IAM) policies that restrict <code>backup:DeleteBackupVault</code> and <code>backup:DeleteBackupVaultLockConfiguration</code> permissions to only highly privileged, break-glass roles.</li>
<li>Regularly audit access to AWS credentials, especially those identified in <code>aws.cloudtrail.user_identity.arn</code>, and review <code>source.ip</code> and <code>user_agent.original</code> for suspicious origins when this detection triggers.</li>
<li>In the event of a detection, immediately review the affected vault from <code>aws.cloudtrail.request_parameters</code> and determine if it contained recovery points, then secure remaining recovery points and re-apply Vault Lock if unauthorized.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud-security</category><category>aws</category><category>anti-recovery</category><category>defense-evasion</category><category>impact</category></item></channel></rss>