Anomalous use of AWS APIs indicating modification of config monitoring
Description
AlphaSOC detected the use of PutDeliveryChannel or PutConfigurationRecorder actions indicating changes to AWS Config monitoring settings. AWS Config is a service that enables the assessment, auditing, and evaluation of AWS resource configurations. Changes to these monitoring settings could indicate an attempt to disable or alter security logging.
Impact
Modifying AWS Config monitoring reduces an organization's ability to track changes in their AWS environment, hindering detection and response to potential security threats or compliance violations. Threat actors may exploit this to conceal their malicious activity within a compromised AWS environment.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Verify whether the changes made to AWS Config settings were authorized. Review CloudTrail logs for unusual activities, such as the creation of new access keys, changes to permissions, or other unexpected actions. If the modifications are unauthorized, revert them to restore proper monitoring.
Known False Positives
- Authorized changes by administrators during maintenance or upgrades
- Automated scripts or tools managing AWS configurations across accounts
- Initial setup or reconfiguration of AWS Config by administrators