AWS API calls indicating Route 53 log tampering
Description
AlphaSOC detected an unexpected use of DeleteResolverQueryLogConfig or
DeleteQueryLoggingConfig API calls. These actions may indicate an attempt to
disable or delete AWS Route53 query logging configurations. Adversaries may
disable DNS logging to evade detection and obscure their activities.
Impact
Disabling Route53 query logging can impair an organization's ability to detect and investigate DNS-based threats. Without these logs, security teams lose visibility into DNS queries, making it challenging to identify malicious activities.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Investigate the specific Route 53 configurations that were modified. Review AWS CloudTrail logs to identify the source of these changes. Analyze network traffic patterns for any suspicious activities or unauthorized data transfers.