AWS CloudWatch alarm deleted
Description
AlphaSOC detected an unexpected deletion of an AWS CloudWatch alarm using
DeleteAlarms
action. AWS CloudWatch is a monitoring service that allows users
to retrieve statistics based on metrics they select, providing insights into
their applications and resources. Adversaries may delete AWS CloudWatch alarms
to conceal their activity within the AWS environment.
Impact
Unexpected deletion of AWS CloudWatch alarms can hinder the timely detection of security incidents, resource misuse, or operational issues. This increases the risk of prolonged unauthorized access, data breaches, or service disruptions going unnoticed, potentially resulting in financial and reputational damage to the organization.
Severity
Severity | Condition |
---|---|
Low | AWS CloudWatch alarm deleted |
Investigation and Remediation
Review AWS CloudTrail logs to investigate the DeleteAlarms
action, identify
the AWS IAM user or role responsible, and verify whether the action was
authorized. If unauthorized, rotate the AWS IAM credentials associated with the
API call, and restore deleted alarms from backups or recreate them as necessary.
Known False Positives
- Authorized removal of outdated or redundant alarms during routine maintenance