1. Home
  2. Techniques
  3. Data Destruction
  4. AMI Image Deletion

Data Destruction: AMI Image Deletion


AWS Specific Sub-Technique


Other sub-techniques of Data Destruction (4)
ID Name
T1485.A002 AMI Image Deletion
T1485.001 Lifecycle-Triggered Deletion
T1485.A001 RDS Instances and Backups
T1485.A003 S3 Object and Bucket Deletion

AMIs (Amazon Machine Image) are templates that contain software configurations (including the operating system, application server, and applications) and can be used to launch EC2 instances, making them essential resources for disaster recovery and system restoration. An adversary can leverage access to delete AMIs to damage an organization or their customers.Threat actors may use the ec2:DeregisterImage API call to remove AMIs from an AWS account. After deregistration, these AMIs become unavailable for launching new EC2 instances

Detection

AWS Specific Content


When this technique is used by the threat actor, actions taken by the threat actor for AMI related actions will be logged in CloudTrail. You can use the Event history page in the AWS CloudTrail console to view the last 90 days of management events in an AWS Region for the events listed in the AWS CloudTrail Event Name(s) section, such as ec2:DeregisterImage.

A separate CloudTrail trail will give you an ongoing record of events in your AWS account past 90 days and can be configured to log events in multiple regions. You can also review events using the console as well as the AWS CLI.

It is also possible to create a CloudWatch metric filter to watch for when specific EC2 API calls are used and perform notification actions if logged, and additionally configure CloudWatch to automatically perform an action in response to an alarm.



Mitigation

AWS Specific Content


For EBS-backed AMIs, the outcome depends on Recycle Bin configuration:

If the deregistered AMI matches a Recycle Bin retention rule, it is moved to the Recycle Bin for the specified retention period and can be restored before expiration.

If no retention rule applies, the AMI is permanently deleted immediately.

AMIs that remain in the Recycle Bin beyond their retention period are permanently deleted.

You can also use IAM Access Analyzer to regularly review and verify access and manage permissions across your AWS environment, which will highlight AWS identities with excessive permissions and the actions performed by those identities


References

  1. Amazon Machine Images (AMIs)

AWS Specific Information


AWS Services:
  • Amazon Elastic Compute Cloud (EC2)
AWS CloudTrail Event Names:
  • ec2:DeregisterImage

Technique Information

ID: T1485.A002
Aliases: T1485.A002
Sub-technique of: T1485
Tactics:
  • Impact
Platforms:
  • IaaS
  • Amazon Web Services (AWS)
Created: 26 Aug 2024
Last Modified: 29 Jan 2025