Detection rules › Panther
AWS Config Service Disabled
An AWS Config Recorder or Delivery Channel was disabled or deleted
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562 Impair Defenses |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
- Account Security Configuration Changed (Panther)
Rule body yaml
AnalysisType: rule
Filename: aws_config_service_disabled_deleted.py
RuleID: "AWS.ConfigService.DisabledDeleted"
DisplayName: "AWS Config Service Disabled"
Enabled: true
LogTypes:
- AWS.CloudTrail
Tags:
- AWS
- Security Control
- Defense Evasion:Impair Defenses
Reports:
CIS:
- 3.9
MITRE ATT&CK:
- TA0005:T1562
Severity: Medium
Description: >
An AWS Config Recorder or Delivery Channel was disabled or deleted
Runbook: >
Verify that the Config Service changes were authorized. If not, revert them and investigate who caused the change. Consider altering permissions to prevent this from happening again in the future.
Reference: https://aws.amazon.com/config/
SummaryAttributes:
- eventName
- userAgent
- sourceIpAddress
- recipientAccountId
- p_any_aws_arns
Tests:
- Name: Config Recorder Delivery Channel Created
ExpectedResult: false
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "1111:tester",
"arn": "arn:aws:sts::123456789012:assumed-role/tester",
"accountId": "123456789012",
"accessKeyId": "1",
"sessionContext":
{
"sessionIssuer":
{
"type": "Role",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:role/tester",
"accountId": "123456789012",
"userName": "tester",
},
"webIdFederationData": {},
"attributes":
{
"mfaAuthenticated": "true",
"creationDate": "2019-01-01T00:00:00Z",
},
},
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "config.amazonaws.com",
"eventName": "PutDeliveryChannel",
"awsRegion": "us-west-2",
"sourceIPAddress": "111.111.111.111",
"userAgent": "console.amazonaws.com",
"requestParameters": { "configurationRecorderName": "default" },
"responseElements": null,
"requestID": "1",
"eventID": "1",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
}
- Name: Config Recorder Deleted
ExpectedResult: true
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "1111:tester",
"arn": "arn:aws:sts::123456789012:assumed-role/tester",
"accountId": "123456789012",
"accessKeyId": "1",
"sessionContext":
{
"sessionIssuer":
{
"type": "Role",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:role/tester",
"accountId": "123456789012",
"userName": "tester",
},
"webIdFederationData": {},
"attributes":
{
"mfaAuthenticated": "true",
"creationDate": "2019-01-01T00:00:00Z",
},
},
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "config.amazonaws.com",
"eventName": "DeleteDeliveryChannel",
"awsRegion": "us-west-2",
"sourceIPAddress": "111.111.111.111",
"userAgent": "console.amazonaws.com",
"requestParameters": { "configurationRecorderName": "default" },
"responseElements": null,
"requestID": "1",
"eventID": "1",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
}
- Name: Error Deleting Config Recorder
ExpectedResult: false
Log:
{
"eventVersion": "1.05",
"errorCode": "NoSuchDeliveryChannelException",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "1111:tester",
"arn": "arn:aws:sts::123456789012:assumed-role/tester",
"accountId": "123456789012",
"accessKeyId": "1",
"sessionContext":
{
"sessionIssuer":
{
"type": "Role",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:role/tester",
"accountId": "123456789012",
"userName": "tester",
},
"webIdFederationData": {},
"attributes":
{
"mfaAuthenticated": "true",
"creationDate": "2019-01-01T00:00:00Z",
},
},
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "config.amazonaws.com",
"eventName": "DeleteDeliveryChannel",
"awsRegion": "us-west-2",
"sourceIPAddress": "111.111.111.111",
"userAgent": "console.amazonaws.com",
"requestParameters": { "configurationRecorderName": "default" },
"responseElements": null,
"requestID": "1",
"eventID": "1",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
}
Detection logic
Condition
not (errorCode is_not_null or errorMessage is_not_null)
eventName in ["StopConfigurationRecorder", "DeleteDeliveryChannel"]
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
errorCode | is_not_null | |
errorMessage | is_not_null |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventName | in |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
eventName |
eventSource |
awsRegion |
recipientAccountId |
sourceIPAddress |
userAgent |
userIdentity |