Skip to main content

Suspicious use of AWS APIs indicating modification of config monitoring

ID:aws_config_monitoring_modified_suspicious
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0007:T1526

Description

AlphaSOC detected the use of PutDeliveryChannel or PutConfigurationRecorder actions indicating changes to AWS Config monitoring settings. AWS Config is a service that enables the assessment, auditing, and evaluation of AWS resource configurations. Changes to these monitoring settings could indicate an attempt to disable or alter security logging.

Impact

Modifying AWS Config monitoring reduces an organization's ability to track changes in their AWS environment, hindering detection and response to potential security threats or compliance violations. Threat actors may exploit this to conceal their malicious activity within a compromised AWS environment.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Verify whether the changes made to AWS Config settings were authorized. Review CloudTrail logs for unusual activities, such as the creation of new access keys, changes to permissions, or other unexpected actions. If the modifications are unauthorized, revert them to restore proper monitoring.

Known False Positives

  • Authorized changes by administrators during maintenance or upgrades
  • Automated scripts or tools managing AWS configurations across accounts
  • Initial setup or reconfiguration of AWS Config by administrators