Suspicious AWS API calls indicating AWS EC2 subnet deletion
Description
AlphaSOC detected that an Amazon Elastic Compute Cloud (EC2) subnet was unexpectedly deleted. Subnet deletion requires prior termination of all network interfaces and associated resources, potentially indicating a systematic removal of network infrastructure. EC2 subnets deleted by AWS services are exempt from the detection to avoid false positives.
Impact
A deleted subnet disrupts network organization and security zoning within the VPC, potentially affecting application availability if critical resources were hosted in the subnet. While subnet deletion itself does not directly cause data loss, the termination of dependent resources (e.g., EC2 instances or databases) could lead to data inaccessibility if not properly backed up. Threat actors may, in rare cases, use subnet deletion to disrupt network segmentation or force resource recreation in less secure configurations, typically requiring significant prior access to IAM credentials.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user, source IP, and related API calls (e.g., DeleteSubnet). Verify if the deletion was authorized and part of planned infrastructure changes. If unauthorized, recreate the subnet using prior configurations or Infrastructure-as-Code (IaC) templates (e.g., CloudFormation or Terraform). Investigate access paths used (e.g., compromised IAM roles or keys), revoke any compromised credentials, and recreate necessary network resources to restore functionality.