AWS Lambda Function Deletion
editAWS Lambda Function Deletion
editIdentifies the deletion of an AWS Lambda function. Deleting a function removes its code, configuration, versions, and aliases. Adversaries may delete functions to disrupt business operations and automated workflows, to destroy attacker-deployed backdoors and remove evidence after achieving their objective, or to inhibit incident response. Because function deletion is destructive and often irreversible without redeployment, deletions performed by unexpected principals or outside change windows should be reviewed.
Rule type: query
Rule indices:
- logs-aws.cloudtrail-*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-6m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: Amazon Web Services
- Data Source: AWS Lambda
- Use Case: Threat Detection
- Tactic: Impact
- Resources: Investigation Guide
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating AWS Lambda Function Deletion
Deleting an AWS Lambda function removes its code, configuration, published versions, and aliases. This can be a destructive action that disrupts serverless workloads and automation, or a cleanup step an adversary uses to remove a backdoor function and erase evidence after their objective is met.
This rule detects successful DeleteFunction calls. Investigate whether the principal and the deleted function are expected, and whether the deletion correlates with other suspicious activity.
Possible investigation steps
-
Identify the actor in
aws.cloudtrail.user_identity.arnandaws.cloudtrail.user_identity.type, and reviewsource.ipanduser_agent.originalto determine how the deletion was performed (console, CLI, SDK, automation). -
Inspect
aws.cloudtrail.request_parametersfor thefunctionNameand map it to its application, owner, and environment (prod, staging, dev). -
Determine whether the deletion aligns with an approved change, decommissioning, or infrastructure-as-code destroy operation by comparing
@timestampagainst deployment and change-management records. -
Correlate with recent activity by the same principal or access key, such as
CreateFunction,UpdateFunctionCode,AddPermission,CreateEventSourceMapping, log-group deletions, or other destructive or evasive actions. - Verify whether multiple functions were deleted in a short window, which may indicate broad disruption rather than a single planned change.
False positive analysis
-
Function deletions are common during decommissioning and infrastructure-as-code apply/destroy cycles. Deletions by approved deployment roles, CI/CD pipelines, or platform automation are expected. Tune on
aws.cloudtrail.user_identity.arn,user_agent.original, or known automation roles after validation.
Response and remediation
- If the deletion is unauthorized, restore the function from source control or an infrastructure-as-code definition and confirm its code, configuration, and execution role match a known-good state.
- Review CloudTrail for related destructive or evasive actions by the same actor and assess operational impact.
-
Rotate or restrict credentials for the principal if compromise is suspected, and constrain
lambda:DeleteFunctionto a small set of trusted roles.
Additional information
Rule query
editdata_stream.dataset: "aws.cloudtrail"
and event.provider: "lambda.amazonaws.com"
and event.action: (DeleteFunction or DeleteFunction20*)
and event.outcome: "success"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
-
Technique:
- Name: Data Destruction
- ID: T1485
- Reference URL: https://attack.mitre.org/techniques/T1485/
-
Technique:
- Name: Service Stop
- ID: T1489
- Reference URL: https://attack.mitre.org/techniques/T1489/