Attack Chain

1. An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or exploiting a vulnerability.
2. The attacker enumerates existing AWS Config resources to identify the delivery channel and configuration recorder.
3. The attacker executes the DeleteDeliveryChannel API call to stop the delivery of configuration changes to the designated S3 bucket or SNS topic.
4. The attacker executes the StopConfigurationRecorder API call to halt the recording of configuration changes for AWS resources.
5. The attacker performs malicious actions within the AWS environment without the activity being recorded by AWS Config.
6. The attacker may attempt to delete CloudTrail logs, if they have sufficient permissions, to further cover their tracks.
7. The attacker achieves their objective, such as deploying malicious infrastructure, exfiltrating data, or disrupting services, without immediate detection.

Impact

Successful disabling of AWS Config allows attackers to operate undetected within an AWS environment. This can lead to a delayed response to security incidents, resulting in more significant data breaches, financial losses, or reputational damage. The number of affected AWS accounts and the scope of the damage depend on the attacker’s objectives and the duration of the undetected activity.

Recommendation

• Deploy the Sigma rule “AWS Config Disabling Channel/Recorder” to your SIEM and tune for your environment to detect unauthorized disabling of AWS Config resources.
• Review AWS IAM policies to ensure that only authorized personnel have the necessary permissions to modify or disable AWS Config settings.
• Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise.
• Monitor CloudTrail logs for any attempts to disable or modify AWS Config resources, referencing the eventSource and eventName fields in the provided Sigma rule.