detection-rules
Loading

AWS SQS Queue Purge

Identifies when an AWS Simple Queue Service (SQS) queue is purged. Purging an SQS queue permanently deletes all messages currently in the queue. Adversaries may use this action to disrupt application workflows, destroy operational data, or impair monitoring and alerting by removing messages that contain evidence of malicious activity.

Rule type: query
Rule indices:

  • filebeat-*
  • logs-aws.cloudtrail-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-6m
Maximum alerts per execution: ?
References:

Tags:

  • Domain: Cloud
  • Data Source: AWS
  • Data Source: Amazon Web Services
  • Data Source: AWS SQS
  • Use Case: Threat Detection
  • Use Case: Log Auditing
  • Tactic: Defense Evasion
  • Resources: Investigation Guide

Version: ?
Rule authors:

  • Elastic

Rule license: Elastic License v2

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

AWS SQS is a managed message queuing service commonly used to decouple services and buffer events across distributed and serverless architectures. Purging a queue removes all pending messages and cannot be undone. While this may be required for maintenance or testing, adversaries may abuse this action to disrupt operations, delete forensic evidence, or evade detection by removing queued security or audit events.

Identify the actor

  • Review aws.cloudtrail.user_identity.arn and access_key_id to determine who initiated the purge. Confirm whether this identity typically manages SQS resources and whether the action aligns with their role.

Review the affected queue

  • Identify the purged queue using aws.cloudtrail.request_parameters or aws.cloudtrail.resources.arn. Determine the purpose of the queue and whether it supports critical workflows, security tooling, or monitoring pipelines.

Evaluate the context of the action

  • Review the @timestamp to determine when the purge occurred and whether it aligns with maintenance windows or deployment activity.
  • Examine source.ip and user_agent.original for anomalies such as unexpected locations, automation tools, or unfamiliar clients.

Correlate related activity

  • Search for other CloudTrail events from the same identity before and after the purge, including IAM changes, credential activity, or additional SQS operations.
  • Look for signs of follow-on behavior such as queue deletion, policy updates, or attempts to suppress logging.

Validate intent

  • Confirm with the queue owner or application team whether the purge was intentional, approved, and expected. If no clear business justification exists, treat the activity as potentially suspicious.
  • Queue purges performed during routine maintenance, incident recovery, or test resets may be legitimate.
  • Automated jobs or cleanup scripts may regularly purge queues as part of normal operation.
  • If the purge was unauthorized, immediately restrict SQS permissions for the affected identity and investigate for credential compromise.
  • Assess operational impact and determine whether downstream systems were disrupted or lost critical data.
  • Review recent activity to identify any additional attempts to evade detection or disable monitoring.
  • Reinforce least-privilege IAM policies to limit which identities can perform PurgeQueue.
  • Enhance monitoring and alerting for destructive SQS actions, especially in production environments.
  • Work with application teams to document approved purge workflows and ensure adequate guardrails are in place.
event.dataset: "aws.cloudtrail"
    and event.provider: "sqs.amazonaws.com"
    and event.action: "PurgeQueue"
    and event.outcome: "success"

Framework: MITRE ATT&CK