AWS ECS cluster deleted
Description
AlphaSOC detected that an Amazon Elastic Container Service (ECS) cluster was deleted. Deleting an ECS cluster requires deregistration of all container instances, potentially indicating systematic removal of container infrastructure. ECS clusters deleted by AWS services are exempt from the detection to avoid false positives.
Impact
Deleting an AWS ECS cluster removes critical container infrastructure, disrupting application availability and potentially causing service outages. Data loss may occur if applications store data in container ephemeral storage or non-persistent volumes, though persistent storage (e.g., EBS, EFS, or S3) remains unaffected. This action can break dependent systems and require significant effort to rebuild the cluster, reconfigure services, and redeploy tasks.
Severity
Severity | Condition |
---|---|
Informational | AWS ECS cluster deleted |
Low | Unexpected action, ASN, user agent, or region |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user, source IP, and any related API calls. Verify if the deletion was authorized and part of planned infrastructure changes. If unauthorized, restore the cluster from backup if available, investigate access paths used, revoke compromised credentials, and re-create necessary network resources.