StopConfigurationRecorder
AWS
StopConfigurationRecorder
Event
Stops AWS Config from recording resource configuration changes in the region.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
Log Source
CloudTrail
Sample Event
Adversarial. Draco stops the default Config recorder default in us-east-1. With Config no longer recording, his subsequent persistence and resource-creation activity won’t surface in the configuration timeline — useful for evading detections that compare drift over time. T1685. Pairs naturally with the StopLogging (CloudTrail) and UpdateDetector (GuardDuty) drafts in this shard.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T21:02:14Z", "eventSource": "config.amazonaws.com", "eventName": "StopConfigurationRecorder", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "configurationRecorderName": "default" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000110111000", "eventID": "90000000-0000-4000-8000-000110111001", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "config.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...