
Summary
The AWS.CloudTrail.SecurityConfigurationChange rule detects changes to account-wide security configurations based on AWS CloudTrail logs. When a relevant security configuration change event is logged, such as the deletion of a CloudTrail or any significant adjustment to AWS security settings, this rule triggers an alert. The primary action is to verify if the change was planned; if not, mitigation measures should be taken to revert the change and update access control policies to prevent future unapproved modifications. This rule is crucial in maintaining a secure AWS environment by ensuring that any configuration changes are duly authorized and comply with security policies.
Categories
- Cloud
- AWS
Data Sources
- Cloud Service
- Cloud Storage
- Application Log
ATT&CK Techniques
- T1562
Created: 2022-09-02