AWS Configuration Recorder Stopped

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS Configuration Recorder Stopped

Identifies when an AWS Config configuration recorder is stopped. AWS Config recorders continuously track and record configuration changes across supported AWS resources. Stopping the recorder immediately reduces visibility into infrastructure changes and can be abused by adversaries to evade detection, obscure follow-on activity, or weaken compliance and security monitoring controls.

Rule type: query

Rule indices:

filebeat-*
logs-aws.cloudtrail-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Config
Tactic: Defense Evasion
Resources: Investigation Guide

Version: 210

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating AWS Configuration Recorder Stopped

AWS Config provides continuous visibility into resource configuration changes and underpins many security, compliance, and audit workflows. Stopping the configuration recorder prevents new changes from being captured and can create blind spots in detection and forensic timelines.

This behavior is uncommon in steady-state production environments and should be carefully reviewed, especially when performed outside approved maintenance windows or by unexpected principals.

Possible investigation steps

Identify the actor - Review aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.access_key_id to determine who initiated the StopConfigurationRecorder action. Confirm whether this principal typically administers AWS Config or performs security and compliance operations.

Examine the request context - Review user_agent.original to determine whether the request originated from the AWS Console, CLI, SDK, or automation tooling. - Inspect source.ip and any available geo context to assess whether the request originated from an expected network or region.

Determine scope and impact - Identify which configuration recorder was stopped and which regions or resources were affected. - Determine how long the recorder remained disabled and whether any configuration changes occurred during that window. - Assess whether AWS Config rules, Security Hub controls, or downstream monitoring systems were impacted.

Correlate with related activity - Look for surrounding CloudTrail activity from the same principal, including: - Deletion or modification of Config rules, delivery channels, or conformance packs. - IAM changes, credential activity, or other security control modifications. - Check for signs of follow-on activity that may have relied on reduced visibility, such as resource creation, policy changes, or network reconfiguration.

Validate intent - Confirm with the platform, security, or compliance teams whether the recorder stoppage was intentional and approved. - Compare the timing against change management records, infrastructure deployments, or account bootstrapping workflows.

False positive analysis

Planned maintenance or controlled configuration changes may require temporarily stopping the recorder.
Automated account provisioning, teardown, or remediation tooling may stop and restart the recorder as part of normal workflows.

Response and remediation

Immediately restart the AWS Config recorder to restore configuration visibility.
Review CloudTrail logs for activity that occurred while the recorder was stopped and assess potential security or compliance impact.
If the action was unauthorized, rotate or disable credentials associated with the initiating principal and investigate for compromise.
Review IAM permissions to ensure only a minimal set of trusted roles can stop or modify AWS Config components.
Implement guardrails such as AWS Config rules, SCPs, or automated remediation to detect and respond to recorder stoppage.
Update monitoring, alerting, and incident response runbooks to explicitly cover AWS Config visibility loss scenarios.

Additional information

Rule query

edit

event.dataset: aws.cloudtrail
    and event.provider: config.amazonaws.com
    and event.action: StopConfigurationRecorder
    and event.outcome: success

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/
Sub-technique:
- Name: Disable or Modify Tools
- ID: T1562.001
- Reference URL: https://attack.mitre.org/techniques/T1562/001/
Sub-technique:
- Name: Disable or Modify Cloud Logs
- ID: T1562.008
- Reference URL: https://attack.mitre.org/techniques/T1562/008/

« AWS Config Resource Deletion AWS Route 53 Resolver Query Log Configuration Deleted »