Skip to main content

AWS ECS cluster deleted

ID:aws_ecs_cluster_deleted
Data type:AWS CloudTrail
Severity:
Informational
-
Low
MITRE ATT&CK:TA0040:T1485

Description

AlphaSOC detected that an Amazon Elastic Container Service (ECS) cluster was deleted. Deleting an ECS cluster requires deregistration of all container instances, potentially indicating systematic removal of container infrastructure. ECS clusters deleted by AWS services are exempt from the detection to avoid false positives.

Impact

Deleting an AWS ECS cluster removes critical container infrastructure, disrupting application availability and potentially causing service outages. Data loss may occur if applications store data in container ephemeral storage or non-persistent volumes, though persistent storage (e.g., EBS, EFS, or S3) remains unaffected. This action can break dependent systems and require significant effort to rebuild the cluster, reconfigure services, and redeploy tasks.

Severity

SeverityCondition
Informational
AWS ECS cluster deleted
Low
Unexpected action, ASN, user agent, or region

Investigation and Remediation

Review AWS CloudTrail logs to identify the user, source IP, and any related API calls. Verify if the deletion was authorized and part of planned infrastructure changes. If unauthorized, restore the cluster from backup if available, investigate access paths used, revoke compromised credentials, and re-create necessary network resources.