AWS EC2 subnet deleted


Detect when an attacker is destroying an EC2 subnet.


This rule lets you monitor this CloudTrail API call to detect if an attacker is deleting an EC2 subnet.

Triage and response

  1. Determine if {{@userIdentity.arn}} should be deleting EC2 subnets.
  2. Contact the user to see if they intended to make this API call.
  3. If the user did not make the API call:
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.


1 April 2022 - Updated rule and signal message.