Anomalous number of AWS Lambda functions deleted
Goal
Detects anomalous deletion of AWS Lambda functions. This rule identifies when a user or role deletes an unusual number of Lambda functions within a short time period.
Strategy
This rule monitors AWS CloudTrail logs for DeleteFunction20150331
events. The detection uses anomaly detection to establish a baseline of normal deletion patterns over a 24-hour learning period and identifies deviations from this baseline. Lambda functions often contain critical business logic and their deletion can disrupt services or remove security controls.
Triage & Response
- Review the
@userIdentity.arn
to identify the account or role that performed the deletions. - Check the
@requestParameters.functionName
to determine which specific Lambda functions were deleted. - Verify if the deleted functions were part of a planned decommissioning or migration effort.
- Examine the CloudTrail logs for additional suspicious activity from the same identity around the time of the deletions.
- Review AWS CloudWatch logs for the deleted functions to check for any unusual activity prior to deletion.
- Check if the identity has the necessary permissions to perform these deletions through IAM policies.
- Restore the deleted functions from backups if available and implement stricter access controls for Lambda function deletion.