DeleteAlarms
AWS
DeleteAlarms
Event
Deletes one or more CloudWatch alarms, removing their monitoring configurations and associated notifications.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
Log Source
CloudTrail
Sample Event
Adversarial. Draco deletes the CloudWatch alarms that monitor PHOENIX (the security/IR account) — specifically the alarms that fire on root login, IAM policy changes, and console-MFA-failure spikes — to silence the alerting fabric before he stages further activity. Targeting these alarm names is the textbook T1685 defense-impairment pattern.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T19:02:11Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T19:33:21Z", "eventSource": "monitoring.amazonaws.com", "eventName": "DeleteAlarms", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "alarmNames": [ "phoenix-root-login-detected", "phoenix-iam-policy-change", "phoenix-console-mfa-failure-spike" ] }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000011001100", "eventID": "90000000-0000-4000-8000-000011001101", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "monitoring.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...