Skip to content

DeleteFlowLogs

AWS

DeleteFlowLogs

service: AWS - EC2
techniques:

Event

Deletes VPC Flow Log configurations, stopping the capture of network traffic metadata for the specified resources.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Modifications to logging and monitoring infrastructure can create blind spots that allow adversary activity to go undetected.

Log Source

CloudTrail

Sample Event

Adversarial. Draco deletes the VPC flow log shipping vpc-0fantastic000001 traffic to PHOENIX before he stages any lateral movement — without flow logs, his EC2 instance metadata pivots and S3-VPC-endpoint exfil leave no network trace. T1685.002.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T19:02:11Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T19:09:51Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "DeleteFlowLogs",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"DeleteFlowLogsRequest": {
"FlowLogId": {
"tag": 1,
"content": "fl-0fantastic0vpcflo01"
}
}
},
"responseElements": {
"DeleteFlowLogsResponse": {
"xmlns": "http://ec2.amazonaws.com/doc/2016-11-15/",
"unsuccessful": ""
}
},
"requestID": "90000000-0000-4000-8000-000011100010",
"eventID": "90000000-0000-4000-8000-000011100011",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...