Detection: Config Rule Deleted

Overview

Detect when an AWS Config rule was deleted. Deleting a Config rule disrupts compliance monitoring, potentially leaving non-compliant resources undetected and increasing security and operational risks. Monitoring rule deletions ensures continuous evaluation of resource compliance and maintains a secure cloud environment.

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_cloudtrail_log_detections.detection.config_rule_deleted

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_cloudtrail_log_detections.detection.config_rule_deleted --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
string_split(event_source, '.')[1] || ':' || event_name as operation,
request_parameters ->> 'configRuleName' as resource,
user_identity.arn as actor,
tp_source_ip as source_ip,
tp_index as account_id,
aws_region as region,
tp_id as source_id,
*

from
  aws_cloudtrail_log
where
  event_source = 'config.amazonaws.com'
  and event_name = 'DeleteConfigRule'
  and error_code is null

order by
  event_time desc;

Detection: Config Rule Deleted

Overview

Usage

SQL

Tags