AWS Lambda Function Deletion

Identifies the deletion of an AWS Lambda function. Deleting a function removes its code, configuration, versions, and aliases. Adversaries may delete functions to disrupt business operations and automated workflows, to destroy attacker-deployed backdoors and remove evidence after achieving their objective, or to inhibit incident response. Because function deletion is destructive and often irreversible without redeployment, deletions performed by unexpected principals or outside change windows should be reviewed.

Rule type: query
Rule indices:

• logs-aws.cloudtrail-*

Rule Severity: low
Risk Score: 21
Runs every: 5m
Searches indices from: now-6m
Maximum alerts per execution: 100
References:

• https://docs.aws.amazon.com/lambda/latest/api/API_DeleteFunction.html
• https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html

Tags:

• Domain: Cloud
• Data Source: AWS
• Data Source: Amazon Web Services
• Data Source: AWS Lambda
• Use Case: Threat Detection
• Tactic: Impact
• Resources: Investigation Guide

Version: 1
Rule authors:

• Elastic

Rule license: Elastic License v2

Deleting an AWS Lambda function removes its code, configuration, published versions, and aliases. This can be a destructive action that disrupts serverless workloads and automation, or a cleanup step an adversary uses to remove a backdoor function and erase evidence after their objective is met.

This rule detects successful DeleteFunction calls. Investigate whether the principal and the deleted function are expected, and whether the deletion correlates with other suspicious activity.

• Identify the actor in aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.type, and review source.ip and user_agent.original to determine how the deletion was performed (console, CLI, SDK, automation).
• Inspect aws.cloudtrail.request_parameters for the functionName and map it to its application, owner, and environment (prod, staging, dev).
• Determine whether the deletion aligns with an approved change, decommissioning, or infrastructure-as-code destroy operation by comparing @timestamp against deployment and change-management records.
• Correlate with recent activity by the same principal or access key, such as CreateFunction, UpdateFunctionCode, AddPermission, CreateEventSourceMapping, log-group deletions, or other destructive or evasive actions.
• Verify whether multiple functions were deleted in a short window, which may indicate broad disruption rather than a single planned change.

• Function deletions are common during decommissioning and infrastructure-as-code apply/destroy cycles. Deletions by approved deployment roles, CI/CD pipelines, or platform automation are expected. Tune on aws.cloudtrail.user_identity.arn, user_agent.original, or known automation roles after validation.

• If the deletion is unauthorized, restore the function from source control or an infrastructure-as-code definition and confirm its code, configuration, and execution role match a known-good state.
• Review CloudTrail for related destructive or evasive actions by the same actor and assess operational impact.
• Rotate or restrict credentials for the principal if compromise is suspected, and constrain lambda:DeleteFunction to a small set of trusted roles.

• DeleteFunction API

data_stream.dataset: "aws.cloudtrail"
    and event.provider: "lambda.amazonaws.com"
    and event.action: (DeleteFunction or DeleteFunction20*)
    and event.outcome: "success"
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Impact
  • Id: TA0040
  • Reference URL: https://attack.mitre.org/tactics/TA0040/

• Technique:

  • Name: Data Destruction
  • Id: T1485
  • Reference URL: https://attack.mitre.org/techniques/T1485/

• Technique:

  • Name: Service Stop
  • Id: T1489
  • Reference URL: https://attack.mitre.org/techniques/T1489/