AWS WAF Access Control List Deletion

Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/05/21"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list."
 10false_positives = [
 11    """
 12    Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent,
 13    and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts should
 14    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
 15    """,
 16]
 17from = "now-60m"
 18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 19interval = "10m"
 20language = "kuery"
 21license = "Elastic License v2"
 22name = "AWS WAF Access Control List Deletion"
 23note = """## Triage and analysis
 24
 25> **Disclaimer**:
 26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 27
 28### Investigating AWS WAF Access Control List Deletion
 29
 30AWS Web Application Firewall (WAF) protects web applications by controlling access based on defined rules. Deleting an Access Control List (ACL) can expose applications to threats by removing these protective rules. Adversaries may exploit this to bypass defenses, facilitating unauthorized access or data exfiltration. The detection rule monitors for successful ACL deletions, signaling potential defense evasion attempts.
 31
 32### Possible investigation steps
 33
 34- Review the CloudTrail logs for the specific event.action:DeleteWebACL to identify the user or role that initiated the deletion. Check the event.userIdentity field for details.
 35- Examine the event.time field to determine when the deletion occurred and correlate it with any other suspicious activities or alerts around the same timeframe.
 36- Investigate the event.sourceIPAddress to identify the origin of the request and assess if it aligns with known IP addresses or locations associated with your organization.
 37- Check the AWS WAF configuration history to understand the context of the deleted ACL, including its rules and the applications it was protecting.
 38- Assess the impact of the ACL deletion by reviewing access logs for the affected applications to identify any unusual or unauthorized access attempts following the deletion.
 39- Verify if there are any recent changes in IAM policies or permissions that could have allowed unauthorized users to delete the ACL.
 40
 41### False positive analysis
 42
 43- Routine maintenance or updates by authorized personnel may trigger ACL deletions. Verify if the deletion aligns with scheduled maintenance activities and consider excluding these events from alerts.
 44- Automated scripts or tools used for infrastructure management might delete and recreate ACLs as part of their normal operation. Identify these scripts and whitelist their actions to prevent unnecessary alerts.
 45- Changes in security policies or architecture might necessitate the removal of certain ACLs. Ensure that such changes are documented and approved, and exclude these events from monitoring if they are part of a planned update.
 46- Test environments often undergo frequent configuration changes, including ACL deletions. Differentiate between production and test environments and adjust monitoring rules to reduce false positives in non-production settings.
 47
 48### Response and remediation
 49
 50- Immediately revoke any access keys or credentials associated with the user or role that performed the ACL deletion to prevent further unauthorized actions.
 51- Restore the deleted AWS WAF Access Control List from a backup or recreate it using documented configurations to re-establish protective rules.
 52- Conduct a thorough review of recent access logs and CloudTrail events to identify any unauthorized access or data exfiltration attempts that may have occurred following the ACL deletion.
 53- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
 54- Implement additional monitoring and alerting for any future attempts to delete or modify AWS WAF ACLs, ensuring rapid detection and response.
 55- Review and tighten IAM policies to ensure that only authorized personnel have permissions to delete or modify AWS WAF configurations.
 56- Consider enabling AWS Config rules to continuously monitor and alert on changes to critical AWS resources, including WAF ACLs, to prevent similar incidents.
 57
 58## Setup
 59
 60The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 61references = [
 62    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html",
 63    "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html",
 64]
 65risk_score = 47
 66rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49"
 67severity = "medium"
 68tags = [
 69    "Domain: Cloud",
 70    "Data Source: AWS",
 71    "Data Source: Amazon Web Services",
 72    "Use Case: Network Security Monitoring",
 73    "Tactic: Defense Evasion",
 74    "Resources: Investigation Guide",
 75]
 76timestamp_override = "event.ingested"
 77type = "query"
 78
 79query = '''
 80event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success
 81'''
 82
 83
 84[[rule.threat]]
 85framework = "MITRE ATT&CK"
 86[[rule.threat.technique]]
 87id = "T1562"
 88name = "Impair Defenses"
 89reference = "https://attack.mitre.org/techniques/T1562/"
 90[[rule.threat.technique.subtechnique]]
 91id = "T1562.001"
 92name = "Disable or Modify Tools"
 93reference = "https://attack.mitre.org/techniques/T1562/001/"
 94
 95
 96
 97[rule.threat.tactic]
 98id = "TA0005"
 99name = "Defense Evasion"
100reference = "https://attack.mitre.org/tactics/TA0005/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

AWS Web Application Firewall (WAF) protects web applications by controlling access based on defined rules. Deleting an Access Control List (ACL) can expose applications to threats by removing these protective rules. Adversaries may exploit this to bypass defenses, facilitating unauthorized access or data exfiltration. The detection rule monitors for successful ACL deletions, signaling potential defense evasion attempts.

  • Review the CloudTrail logs for the specific event.action:DeleteWebACL to identify the user or role that initiated the deletion. Check the event.userIdentity field for details.
  • Examine the event.time field to determine when the deletion occurred and correlate it with any other suspicious activities or alerts around the same timeframe.
  • Investigate the event.sourceIPAddress to identify the origin of the request and assess if it aligns with known IP addresses or locations associated with your organization.
  • Check the AWS WAF configuration history to understand the context of the deleted ACL, including its rules and the applications it was protecting.
  • Assess the impact of the ACL deletion by reviewing access logs for the affected applications to identify any unusual or unauthorized access attempts following the deletion.
  • Verify if there are any recent changes in IAM policies or permissions that could have allowed unauthorized users to delete the ACL.
  • Routine maintenance or updates by authorized personnel may trigger ACL deletions. Verify if the deletion aligns with scheduled maintenance activities and consider excluding these events from alerts.
  • Automated scripts or tools used for infrastructure management might delete and recreate ACLs as part of their normal operation. Identify these scripts and whitelist their actions to prevent unnecessary alerts.
  • Changes in security policies or architecture might necessitate the removal of certain ACLs. Ensure that such changes are documented and approved, and exclude these events from monitoring if they are part of a planned update.
  • Test environments often undergo frequent configuration changes, including ACL deletions. Differentiate between production and test environments and adjust monitoring rules to reduce false positives in non-production settings.
  • Immediately revoke any access keys or credentials associated with the user or role that performed the ACL deletion to prevent further unauthorized actions.
  • Restore the deleted AWS WAF Access Control List from a backup or recreate it using documented configurations to re-establish protective rules.
  • Conduct a thorough review of recent access logs and CloudTrail events to identify any unauthorized access or data exfiltration attempts that may have occurred following the ACL deletion.
  • Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
  • Implement additional monitoring and alerting for any future attempts to delete or modify AWS WAF ACLs, ensuring rapid detection and response.
  • Review and tighten IAM policies to ensure that only authorized personnel have permissions to delete or modify AWS WAF configurations.
  • Consider enabling AWS Config rules to continuously monitor and alert on changes to critical AWS resources, including WAF ACLs, to prevent similar incidents.

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top