AWS Config modified

cloudtrail

Classification:

compliance

Framework:

cis-aws

Control:

4.9

Goal

Detect when an attacker is trying to evade defenses by disabling or modifying AWS Config.

Strategy

This rule lets you monitor these AWS Config API calls per CIS-AWS-4.9: Ensure a log metric filter and alarm exist for AWS Config configuration changes:

Triage and response

  1. Determine which if {{@userIdentity.arn}} should have done a {{@evt.name}} to AWS Config.
  2. If the user did not make the API call:
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.

Changelog

  • 1 April 2022 - Updated rule and signal message.
  • 10 October 2022 - Updated severities.