AWS

Subscribe
Download 365
Last updated Apr 30, 2025

AWS Configuration Recorder Stopped

Detect when a user stops an AWS Configuration Recorder

Query

AWS CloudTrail records the StopConfigurationRecorder event when an AWS Configuration Recorder is stopped. The request parameters (req_params) are structured as follows:

{"configurationRecorderName":"RECORDER_NAME"}

Detection occurs when the event name in the AWS CloudTrail audit log is StopConfigurationRecorder.

| search event_name == "StopConfigurationRecorder" 
| eval cloud_resource = valueof(req_params, "configurationRecorderName"), user = nvl(user, valueof(valueof(valueof(user_identity, "sessionContext"), "sessionIssuer"), "userName")) 
| rename account_id as cloud_account, aws_region as cloud_region

Message

  • AWS Configuration Recorder stopped: Cloud $cloud_account, Region $cloud_region, Account $user, Recorder $cloud_resource

Output field order

  • _log_time, cloud_account, cloud_region, src_ip, user, user_type, event_source, event_name, cloud_resource, user_agent, req_params, resp_params, tls_details

Threat Analysis

  • AWS Config Recorder plays a critical role in recording configuration changes of AWS resources and is essential for compliance and security monitoring.
  • If an attacker intentionally stops this feature, subsequent resource changes or privilege abuse cannot be tracked, enabling Defense Evasion.
  • This activity corresponds to MITRE ATT&CK technique Impair Defenses: Disable or Modify Tools (T1562.001), as it aligns with adversary behavior of disabling or tampering with security logging to weaken monitoring capabilities.
  • This is a typical action attempted by malicious insiders or external attackers who have stolen credentials, as a way to evade detection, and therefore should be classified as a high-risk threat scenario.

Possible False Positives

  • Operational/Administrative stoppage

    • Some organizations may stop the recorder temporarily before large-scale resource modifications to reduce AWS Config costs or performance impacts.

  • Test environments

    • In development/test accounts, administrators may manually disable the Config Recorder if the functionality is not required.

  • Automation scripts/tools

    • IaC (Infrastructure as Code) or automation tools (Terraform, CloudFormation, etc.) may manage the recorder state, temporarily triggering StopConfigurationRecorder events.

Response Actions

  • Review the account (user), source IP (src_ip), and user agent (user_agent) fields to determine who stopped the recorder, from where, and how. Verify if this was an intentional configuration change or an unauthorized modification.
  • Perform correlation analysis to see if the same session or user executed suspicious actions immediately after stopping the recorder, such as IAM policy changes, resource deletions, or disabling CloudTrail. This helps determine whether the event was an operational action or part of Privilege Escalation / Defense Evasion activity.
  • If the change was unauthorized, restore the AWS Config Recorder and rotate the credentials (password/keys) of the IAM account that made the change. Conduct a full audit of the account activity and address the root cause of the credential compromise.

MITRE ATT&CK