Unexpected AWS API calls indicating deletion of AWS Elastic File System
ID:aws_efs_deleted_anomaly
Data type:AWS CloudTrail
Severity:
Informational
- Medium
MITRE ATT&CK:TA0040:T1485
Description
AlphaSOC detected that an AWS Elastic File System was deleted using the
DeleteFileSystem action. This operation permanently removes the file system
and all its contents.
Impact
This action could indicate an attempt to destroy data, which is a tactic employed by threat actors to cause disruption. It may result in the permanent loss of critical data, disrupt business operations, and compromise data integrity.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user or role that performed the action and verify whether it was unauthorized. If unauthorized, assess the scope of data loss, initiate data recovery procedures if possible, and conduct a thorough security audit to identify any other compromised resources.