AWS CloudWatch rule disabled or deleted

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a CloudWatch rule has been disabled or deleted.

Strategy

This rule lets you monitor CloudTrail and detect if a DisableRule or DeleteRule API call has occurred. An attacker may delete rules in an attempt to evade defenses.

Triage and response

  1. Determine if {{@userIdentity.arn}} should have made the {{@evt.name}} API call.
  2. If the API call was not made legitimately by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Enable or create a rule using the aws-cli commands enable-rule or put-rule, or reference the AWS documentation to revert the rules back to the last known good state.
  1. If the API call was made legitimately by the user:
  • Determine if the user was authorized to make that change.
  • If Yes, consider including the EventBus name in a suppression list: {{@requestParameters.eventBusName}}.
  • If No, enable or create a rule using the aws-cli commands enable-rule or put-rule, respectively, or reference the AWS documentation to revert the rules back to the last known good state.
    • Begin your company’s IR process and investigate.

Changelog

  • 4 October 2022 - Updated severity
PREVIEWING: rtrieu/product-analytics-ui-changes