From 7b3bc23307e8db968e4d06d10e1f8e3297d66f17 Mon Sep 17 00:00:00 2001
From: zendannyy <dannyzen024@gmail.com>
Date: Fri, 13 Mar 2026 04:18:26 -0700
Subject: [PATCH] New Test for AWS Config (#3278)

Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
---
 atomics/T1562.008/T1562.008.yaml | 44 ++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml
index ada5f977..80c23271 100644
--- a/atomics/T1562.008/T1562.008.yaml
+++ b/atomics/T1562.008/T1562.008.yaml
@@ -477,3 +477,47 @@ atomic_tests:
       gcloud config get-value account
     get_prereq_command: |
       gcloud auth login --no-launch-browser
+- name: AWS - Config Logs Disabled
+  description: |
+    Disables AWS Config by stopping the configuration recorder, deleting the delivery channel, and deleting the configuration recorder. An attacker with sufficient permissions can use this to stop configuration change recording and avoid detection of subsequent activity.
+  supported_platforms:
+  - iaas:aws
+  input_arguments:
+    configuration_recorder_name:
+      description: Name of the configuration recorder
+      type: string
+      default: "redatomictestconfigurationrecorder"
+    delivery_channel_name:
+      description: Name of the delivery channel
+      type: string
+      default: "redatomictestdeliverychannel"
+    region:
+      description: Name of the region
+      type: string
+      default: "us-west-2"
+  dependencies:
+  - description: |
+      Check if ~/.aws/credentials file has a default stanza is configured
+    prereq_command: |
+      cat ~/.aws/credentials | grep "default"
+    get_prereq_command: |
+      echo Please install the aws-cli and configure your AWS default profile using: aws configure
+  - description: |
+      Check if terraform is installed.
+    prereq_command: |
+      terraform version
+    get_prereq_command: |
+      echo Please install terraform and configure your AWS default profile
+  executor:
+    command: |
+      aws configservice stop-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
+      echo "*** Configuration recorder stopped ***"
+      aws configservice delete-delivery-channel --delivery-channel-name #{delivery_channel_name} --region #{region}
+      echo "*** Delivery channel deleted ***"
+      aws configservice delete-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
+      echo "*** Configuration recorder deleted ***"
+    cleanup_command: aws configservice list-configuration-recorders --region us-west-2
+    description: |
+        List recorders, to confirm there are none. Confirming previous configuration recorder was stopped and deleted.
+    name: sh
+    elevation_required: false