Skip to content

DeleteConfigRule

AWS

DeleteConfigRule

service: AWS - Config
techniques:

Event

Deletes an AWS Config rule that was evaluating the compliance of AWS resource configurations.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.

Log Source

CloudTrail

Sample Event

Adversarial. Draco removes the Config rule that monitors for s3-bucket-public-read-prohibited so subsequent public-ACL changes on the NIFFLER bucket pass without compliance signal. This is part of the T1685 sequence; usually paired with DeleteConfigurationRecorder and DeleteDeliveryChannel in shotgun-style cleanup.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T19:02:11Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T19:41:18Z",
"eventSource": "config.amazonaws.com",
"eventName": "DeleteConfigRule",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"configRuleName": "s3-bucket-public-read-prohibited"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000011010010",
"eventID": "90000000-0000-4000-8000-000011010011",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "config.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...