AWS CloudWatch log group deleted

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a CloudWatch Log Group is deleted.

Strategy

Detect a successful @evt.name:DeleteLogGroup event.

Triage and response

  1. Ensure that the {{@requestParameters.logGroupName}} log group is not used for auditing or security purposes.
  2. If it is then:
    • Ensure that the user: {{@userIdentity.session_name}} should be making this API call to your {{env}} environment.
    • Consider adding to the allowlist the log group name: {{@requestParameters.logGroupName}} through a suppression list.
  3. If not, begin your company’s IR process and investigate.

Changelog

11 October 2022 - updated severity.