A log stream is a sequence of log events that share the same source. A deletion of a log stream should be validated. Impact A deletion of a log stream can be an attacker evasion technique to hide malicious actions he has committed. Mitigation Verify that the deletion was intentional and authorized and investigate further if not. Take note of deletion of multiple log streams. MITRE Tactic: TA0005 MITRE Technique: T1562

Cloudwatch alarms are designed to inform the user of any anomalous activity as defined by the user. It could encompass different AWS services and alert on any measurable metric offered by CloudWatch. Impact Disabling of an alarm can be an attacker evasion technique to hide his malicious activities by preventing the user from receiving alerts. Mitigation Verify that disabling the alert was intentional and authorized and investigate further if not. Take note of the disabling of multiple alarms altogether. MITRE Tactic: TA0005 MITRE Technique: T1562

Cloudwatch alarms are designed to inform the user of any anomalous activity as defined by the user. It could encompass different AWS services and alert on any measurable metric offered by CloudWatch. Impact Unauthorized deletion of an alarm can be an attacker evasion technique to hide his malicious activities by preventing the user from receiving alerts. Mitigation Verify that the deletion was intentional and authorized and investigate further if not. Take note of deletion of multiple alarms altogether. MITRE Tactic: TA0005 MITRE Technique: T1562

A log group is a group of log streams that share the same retention, monitoring, and access control settings. A deletion of a log group should be validated. Impact A deletion of a log group can be an attacker evasion technique to hide malicious actions he has committed. Mitigation Verify that the deletion was intentional and authorized and investigate further if not. Take note of deletion of multiple log groups. MITRE Tactic: TA0005 MITRE Technique: T1562

Cloudwatch events / EventsBridges rules are designed to match incoming Cloudwatch events and Route them to specific AWS resources for processing. Events can trigger actions on multiple other AWS services (as Lambda, EC2, Batch jobs etc.). Impact Unauthorized deletion of a rule can be an attacker evasion technique to hide his malicious activities by preventing the system from triggering required actions on different services. Mitigation Verify that the deletion was intentional and authorized and investigate further if not. Take note of deletion of multiple alarms altogether. MITRE Tactic: TA0005 MITRE Technique: T1562

Cloudwatch events / EventsBridges rules are designed to match incoming Cloudwatch events and Route them to specific AWS resources for processing. Events can trigger actions on multiple other AWS services (as Lambda, EC2, Batch jobs etc.). Impact Disabling of an alarm can be an attacker evasion technique to hide his malicious activities by preventing the system from triggering required actions on different services. Mitigation Verify that disabling the alert was intentional and authorized and investigate further if not. Take note of the disabling of multiple alarms altogether. MITRE Tactic: TA0005 MITRE Technique: T1562