---
title: AWS Config modified
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > AWS Config modified
---

# AWS Config modified
Classification:complianceTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562)Framework:cis-awsControl:4.9 
## Goal{% #goal %}

Detect when an attacker is trying to evade defenses by disabling or modifying AWS Config.

## Strategy{% #strategy %}

This rule lets you monitor these AWS Config API calls per [CIS-AWS-4.9: Ensure a log metric filter and alarm exist for AWS Config configuration changes](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_2.html):

- [StopConfigurationRecorder](https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html)
- [DeleteDeliveryChannel](https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteDeliveryChannel.html)
- [PutDeliveryChannel](https://docs.aws.amazon.com/config/latest/APIReference/API_PutDeliveryChannel.html)
- [PutConfigurationRecorder](https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigurationRecorder.html)

## Triage and response{% #triage-and-response %}

1. Determine which if {{@userIdentity.arn}} should have done a {{@evt.name}} to AWS Config.
1. If the user did not make the API call:
   - Rotate the credentials.
   - Investigate if the same credentials made other unauthorized API calls.

## Changelog{% #changelog %}

- 1 April 2022 - Updated rule and signal message.
- 10 October 2022 - Updated severities.