AWS WAF Access Control List Deletion
Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/05/21"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list."
10false_positives = [
11 """
12 Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent,
13 and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts should
14 be investigated. If known behavior is causing false positives, it can be exempted from the rule.
15 """,
16]
17from = "now-60m"
18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
19interval = "10m"
20language = "kuery"
21license = "Elastic License v2"
22name = "AWS WAF Access Control List Deletion"
23note = """## Triage and analysis
24
25> **Disclaimer**:
26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
27
28### Investigating AWS WAF Access Control List Deletion
29
30AWS Web Application Firewall (WAF) protects web applications by controlling access based on defined rules. Deleting an Access Control List (ACL) can expose applications to threats by removing these protective rules. Adversaries may exploit this to bypass defenses, facilitating unauthorized access or data exfiltration. The detection rule monitors for successful ACL deletions, signaling potential defense evasion attempts.
31
32### Possible investigation steps
33
34- Review the CloudTrail logs for the specific event.action:DeleteWebACL to identify the user or role that initiated the deletion. Check the event.userIdentity field for details.
35- Examine the event.time field to determine when the deletion occurred and correlate it with any other suspicious activities or alerts around the same timeframe.
36- Investigate the event.sourceIPAddress to identify the origin of the request and assess if it aligns with known IP addresses or locations associated with your organization.
37- Check the AWS WAF configuration history to understand the context of the deleted ACL, including its rules and the applications it was protecting.
38- Assess the impact of the ACL deletion by reviewing access logs for the affected applications to identify any unusual or unauthorized access attempts following the deletion.
39- Verify if there are any recent changes in IAM policies or permissions that could have allowed unauthorized users to delete the ACL.
40
41### False positive analysis
42
43- Routine maintenance or updates by authorized personnel may trigger ACL deletions. Verify if the deletion aligns with scheduled maintenance activities and consider excluding these events from alerts.
44- Automated scripts or tools used for infrastructure management might delete and recreate ACLs as part of their normal operation. Identify these scripts and whitelist their actions to prevent unnecessary alerts.
45- Changes in security policies or architecture might necessitate the removal of certain ACLs. Ensure that such changes are documented and approved, and exclude these events from monitoring if they are part of a planned update.
46- Test environments often undergo frequent configuration changes, including ACL deletions. Differentiate between production and test environments and adjust monitoring rules to reduce false positives in non-production settings.
47
48### Response and remediation
49
50- Immediately revoke any access keys or credentials associated with the user or role that performed the ACL deletion to prevent further unauthorized actions.
51- Restore the deleted AWS WAF Access Control List from a backup or recreate it using documented configurations to re-establish protective rules.
52- Conduct a thorough review of recent access logs and CloudTrail events to identify any unauthorized access or data exfiltration attempts that may have occurred following the ACL deletion.
53- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
54- Implement additional monitoring and alerting for any future attempts to delete or modify AWS WAF ACLs, ensuring rapid detection and response.
55- Review and tighten IAM policies to ensure that only authorized personnel have permissions to delete or modify AWS WAF configurations.
56- Consider enabling AWS Config rules to continuously monitor and alert on changes to critical AWS resources, including WAF ACLs, to prevent similar incidents.
57
58## Setup
59
60The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
61references = [
62 "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html",
63 "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html",
64]
65risk_score = 47
66rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49"
67severity = "medium"
68tags = [
69 "Domain: Cloud",
70 "Data Source: AWS",
71 "Data Source: Amazon Web Services",
72 "Use Case: Network Security Monitoring",
73 "Tactic: Defense Evasion",
74 "Resources: Investigation Guide",
75]
76timestamp_override = "event.ingested"
77type = "query"
78
79query = '''
80event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success
81'''
82
83
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1562"
88name = "Impair Defenses"
89reference = "https://attack.mitre.org/techniques/T1562/"
90[[rule.threat.technique.subtechnique]]
91id = "T1562.001"
92name = "Disable or Modify Tools"
93reference = "https://attack.mitre.org/techniques/T1562/001/"
94
95
96
97[rule.threat.tactic]
98id = "TA0005"
99name = "Defense Evasion"
100reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating AWS WAF Access Control List Deletion
AWS Web Application Firewall (WAF) protects web applications by controlling access based on defined rules. Deleting an Access Control List (ACL) can expose applications to threats by removing these protective rules. Adversaries may exploit this to bypass defenses, facilitating unauthorized access or data exfiltration. The detection rule monitors for successful ACL deletions, signaling potential defense evasion attempts.
Possible investigation steps
- Review the CloudTrail logs for the specific event.action:DeleteWebACL to identify the user or role that initiated the deletion. Check the event.userIdentity field for details.
- Examine the event.time field to determine when the deletion occurred and correlate it with any other suspicious activities or alerts around the same timeframe.
- Investigate the event.sourceIPAddress to identify the origin of the request and assess if it aligns with known IP addresses or locations associated with your organization.
- Check the AWS WAF configuration history to understand the context of the deleted ACL, including its rules and the applications it was protecting.
- Assess the impact of the ACL deletion by reviewing access logs for the affected applications to identify any unusual or unauthorized access attempts following the deletion.
- Verify if there are any recent changes in IAM policies or permissions that could have allowed unauthorized users to delete the ACL.
False positive analysis
- Routine maintenance or updates by authorized personnel may trigger ACL deletions. Verify if the deletion aligns with scheduled maintenance activities and consider excluding these events from alerts.
- Automated scripts or tools used for infrastructure management might delete and recreate ACLs as part of their normal operation. Identify these scripts and whitelist their actions to prevent unnecessary alerts.
- Changes in security policies or architecture might necessitate the removal of certain ACLs. Ensure that such changes are documented and approved, and exclude these events from monitoring if they are part of a planned update.
- Test environments often undergo frequent configuration changes, including ACL deletions. Differentiate between production and test environments and adjust monitoring rules to reduce false positives in non-production settings.
Response and remediation
- Immediately revoke any access keys or credentials associated with the user or role that performed the ACL deletion to prevent further unauthorized actions.
- Restore the deleted AWS WAF Access Control List from a backup or recreate it using documented configurations to re-establish protective rules.
- Conduct a thorough review of recent access logs and CloudTrail events to identify any unauthorized access or data exfiltration attempts that may have occurred following the ACL deletion.
- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
- Implement additional monitoring and alerting for any future attempts to delete or modify AWS WAF ACLs, ensuring rapid detection and response.
- Review and tighten IAM policies to ensure that only authorized personnel have permissions to delete or modify AWS WAF configurations.
- Consider enabling AWS Config rules to continuously monitor and alert on changes to critical AWS resources, including WAF ACLs, to prevent similar incidents.
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS EC2 Network Access Control List Deletion
- AWS EC2 Security Group Configuration Change
- AWS WAF Rule or Rule Group Deletion
- AWS Configuration Recorder Stopped
- AWS EC2 Full Network Packet Capture Detected