Skip to main content

AWS CloudWatch alarm deleted

ID:aws_cloudwatch_alarm_deleted
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0005:T1562

Description

AlphaSOC detected an unexpected deletion of an AWS CloudWatch alarm using DeleteAlarms action. AWS CloudWatch is a monitoring service that allows users to retrieve statistics based on metrics they select, providing insights into their applications and resources. Adversaries may delete AWS CloudWatch alarms to conceal their activity within the AWS environment.

Impact

Unexpected deletion of AWS CloudWatch alarms can hinder the timely detection of security incidents, resource misuse, or operational issues. This increases the risk of prolonged unauthorized access, data breaches, or service disruptions going unnoticed, potentially resulting in financial and reputational damage to the organization.

Severity

SeverityCondition
Low
AWS CloudWatch alarm deleted

Investigation and Remediation

Review AWS CloudTrail logs to investigate the DeleteAlarms action, identify the AWS IAM user or role responsible, and verify whether the action was authorized. If unauthorized, rotate the AWS IAM credentials associated with the API call, and restore deleted alarms from backups or recreate them as necessary.

Known False Positives

  • Authorized removal of outdated or redundant alarms during routine maintenance