AWS CloudWatch rule disabled or deleted

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a CloudWatch rule has been disabled or deleted.

Strategy

This rule lets you monitor CloudTrail and detect if a DisableRule or DeleteRule API call has occurred. An attacker may delete rules in an attempt to evade defenses.

Triage and response

  1. Determine if {{@userIdentity.arn}} should have made the {{@evt.name}} API call.
  2. If the API call was not made legitimately by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Enable or create a rule using the aws-cli commands enable-rule or put-rule, or reference the AWS documentation to revert the rules back to the last known good state.
  1. If the API call was made legitimately by the user:
  • Determine if the user was authorized to make that change.
  • If Yes, consider including the EventBus name in a suppression list: {{@requestParameters.eventBusName}}.
  • If No, enable or create a rule using the aws-cli commands enable-rule or put-rule, respectively, or reference the AWS documentation to revert the rules back to the last known good state.
    • Begin your company’s IR process and investigate.

Changelog

  • 4 October 2022 - Updated severity