Skip to main content

Suspicious AWS API calls indicating AWS EC2 subnet deletion

ID:aws_ec2_subnet_deleted_suspicious
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0005:T1562

Description

AlphaSOC detected that an Amazon Elastic Compute Cloud (EC2) subnet was unexpectedly deleted. Subnet deletion requires prior termination of all network interfaces and associated resources, potentially indicating a systematic removal of network infrastructure. EC2 subnets deleted by AWS services are exempt from the detection to avoid false positives.

Impact

A deleted subnet disrupts network organization and security zoning within the VPC, potentially affecting application availability if critical resources were hosted in the subnet. While subnet deletion itself does not directly cause data loss, the termination of dependent resources (e.g., EC2 instances or databases) could lead to data inaccessibility if not properly backed up. Threat actors may, in rare cases, use subnet deletion to disrupt network segmentation or force resource recreation in less secure configurations, typically requiring significant prior access to IAM credentials.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent, or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Review AWS CloudTrail logs to identify the user, source IP, and related API calls (e.g., DeleteSubnet). Verify if the deletion was authorized and part of planned infrastructure changes. If unauthorized, recreate the subnet using prior configurations or Infrastructure-as-Code (IaC) templates (e.g., CloudFormation or Terraform). Investigate access paths used (e.g., compromised IAM roles or keys), revoke any compromised credentials, and recreate necessary network resources to restore functionality.