ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: IF014.005
  • Created: 20th June 2024
  • Updated: 24th July 2024
  • Contributor: The ITM Team

Deletion of Cloud Resources

A subject deletes cloud resources, resulting in harm to the organization's operations.

Detection

ID Name Description
DT064AWS CloudTrail, Resource Deletion

CloudTrail logs by themselves, or in conjunction with CloudWatch, can be used to identify resource deletion events. These logs contain the account that performed the action (within the userIdentity field), a timestamp (within the eventTime field), and more detailed information depending on what resource was deleted. Some eventName examples include; DeleteBucket (For S3 bucket deletion), DeleteDBInstance (For RDS deletion), and TerminateInstances (For EC2 termination).

DT066Azure Activity Log, Resource Deletion

Azure Activity Log can be used to identify resource deletion events by using the search bar to filter by operations related to deletion, such as Delete or Delete Resource. These logs contain the account that performed the action (within the Caller field), a timestamp and more detailed information depending on what resource was deleted (within the Resource, Status, and Properties fields).

DT065GCP Cloud Audit Logs, Resource Deletion

GCP Cloud Audit Logs can be used to identify resource deletion events. These logs contain the account that performed the action (within the Principal field), a timestamp, and more detailed information depending on what resource was deleted. Some query examples include; resource.type="gcs_bucket" and protoPayload.methodName="storage.buckets.delete" for bucket deletion and resource.type="gce_instance" and protoPayload.methodName="v1.compute.instances.delete" for computer instance deletion.