Suspicious AWS API calls indicating AWS Backup plan deletion
Description
AlphaSOC detected that an AWS Backup plan was deleted using DeleteBackupPlan
or DeleteBackupSelection actions. These API calls are used to remove backup
plans or resource selections associated with a backup plan from AWS Backup.
Threat actors may exploit them to prevent data recovery after the attack.
Impact
Use of these actions may indicate adversarial plans to amplify the effects of subsequent data destruction or ransomware attacks. By eliminating recovery options before launching destructive payloads, threat actors increase the extent of operational damage.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to identify the specific IAM user or role that performed the action and verify whether it was performed by authorized personnel or systems. If unauthorized, revoke potentially compromised credentials and conduct a thorough security assessment of the AWS environment for other signs of compromise.