Skip to content

StopConfigurationRecorder

AWS

StopConfigurationRecorder

service: AWS - Config
techniques:

Event

Stops AWS Config from recording resource configuration changes in the region.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.

Log Source

CloudTrail

Sample Event

Adversarial. Draco stops the default Config recorder default in us-east-1. With Config no longer recording, his subsequent persistence and resource-creation activity won’t surface in the configuration timeline — useful for evading detections that compare drift over time. T1685. Pairs naturally with the StopLogging (CloudTrail) and UpdateDetector (GuardDuty) drafts in this shard.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T21:02:14Z",
"eventSource": "config.amazonaws.com",
"eventName": "StopConfigurationRecorder",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"configurationRecorderName": "default"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000110111000",
"eventID": "90000000-0000-4000-8000-000110111001",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "config.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...