This detection rule monitors events related to the AWS Config Service, specifically focusing on cases where the Config Recorder or Delivery Channel is disabled or deleted. It provides insights into potential unauthorized changes to the AWS Config settings, which can be critical in ensuring compliance and maintaining audit trails in AWS environments. The rule utilizes AWS CloudTrail logs to capture events including `PutDeliveryChannel`, which signifies the creation of a delivery channel, and `DeleteDeliveryChannel`, indicating deletion events. With a medium severity rating, it emphasizes the importance of tracking these modifications as part of broader security compliance and defense mechanisms. The runbook suggests that verified changes should be assessed for authorization and compliance, and recommends adjustments to permissions if unauthorized activity is detected. This rule aligns with the CIS benchmark and is referenced within the MITRE ATT&CK framework under tactics related to impairing defenses.