AWS WAF Access Control List Deletion

  1[metadata]
  2creation_date = "2020/05/21"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/12/08"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the deletion of an AWS Web Application Firewall (WAF) Web ACL. Web ACLs are the core enforcement objects in
 11AWS WAF, defining which traffic is inspected, allowed, or blocked for protected applications. Deleting a Web ACL removes
 12all associated rules, protections, and logging configurations. Adversaries who obtain sufficient privileges may delete a
 13Web ACL to disable critical security controls, evade detection, or prepare for downstream attacks such as
 14web-application compromise, data theft, or resource abuse. Because Web ACLs are rarely deleted outside of controlled
 15maintenance or infrastructure updates, unexpected deletions may indicate potential defense evasion.
 16"""
 17false_positives = [
 18    """
 19    Authorized administrators may delete Web ACLs as part of planned migrations, infrastructure refactoring, or
 20    automation-driven redeployments. Ensure the deletion aligns with approved change requests, maintenance windows, or
 21    known IaC workflows. Deletions performed by unfamiliar users, unusual identities, or unexpected automation should be
 22    investigated.
 23    """,
 24]
 25from = "now-6m"
 26index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 27language = "kuery"
 28license = "Elastic License v2"
 29name = "AWS WAF Access Control List Deletion"
 30note = """## Triage and analysis
 31
 32> **Disclaimer**:
 33> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance.
 34> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.
 35
 36### Investigating AWS WAF Access Control List Deletion
 37
 38AWS Web Application Firewall (WAF) protects applications by inspecting HTTP/S traffic and applying rule groups,
 39managed rule sets, and custom logic to block or allow requests. A Web ACL is the primary enforcement object that binds
 40these protections to CloudFront distributions, Application Load Balancers, API Gateway stages, and AppSync APIs.
 41
 42Deleting a Web ACL immediately removes all protections and logging associated with that application entry point.
 43Because this action can expose applications to direct exploitation, adversaries may delete Web ACLs to disable
 44defenses, evade detection, or prepare for lateral movement or data exfiltration.
 45
 46This rule detects successful `DeleteWebACL` events across WAF Classic, WAF Regional, and WAFv2 APIs.
 47
 48### Possible investigation steps
 49
 50- **Identify the actor and access context**
 51  - Review `aws.cloudtrail.user_identity.arn` and `access_key_id` for the identity that initiated deletion.
 52  - Determine whether this principal normally manages WAF resources.
 53  - Check if the call originated via IAM role assumption, federated identity, or long-lived IAM key.
 54
 55- **Assess the deleted ACL**
 56  - Check `aws.cloudtrail.request_parameters` for:
 57    - The Web ACL ID (`WebACLId`, `Id`, or ARN).
 58    - The scope (REGIONAL vs. CLOUDFRONT).
 59    - Associated resource ARNs that were protected.
 60  - Determine which applications or APIs depended on this Web ACL.
 61  - Evaluate the criticality and sensitivity of any exposed endpoints.
 62
 63- **Correlate with related security-affecting activity**
 64  - Use CloudTrail to pivot on:
 65    - The same identity (`user_identity.arn` or access key).
 66    - The same application load balancer, CloudFront distribution, or API Gateway stage.
 67  - Look for:
 68    - Prior rule updates (`UpdateWebACL`, `DeleteRuleGroup`, etc.).
 69    - IAM privilege escalation events.
 70    - Changes to logging or monitoring (e.g., disabling WAF logging).
 71
 72- **Investigate request origin and tooling**
 73  - Review `source.ip`, ASN, and geo-location for anomalies.
 74  - Analyze `user_agent.original` to identify automation, custom scripts, CLI usage, or console access.
 75
 76- **Evaluate operational context**
 77  - Determine whether the deletion aligns with:
 78    - Scheduled maintenance.
 79    - IaC-driven redeployments (Terraform, CDK, CloudFormation).
 80    - Known migrations between WAF Classic and WAFv2.
 81  - If deletion occurred outside expected time windows or without a corresponding change ticket, treat it as suspicious.
 82
 83### False positive analysis
 84
 85- **Expected infrastructure lifecycle events**
 86  - IaC pipelines may destroy and recreate Web ACLs as part of environment rotation or blue/green deployments.
 87  - Confirm whether the deleting identity matches known automation roles.
 88
 89- **Planned refactoring or migrations**
 90  - Organizations transitioning to WAFv2 or moving resources across regions may intentionally delete legacy ACLs.
 91
 92- **Testing and sandbox environments**
 93  - Developers may frequently create and remove ACLs during experimentation.
 94  - Tune the rule to suppress events from non-production accounts or specific tags.
 95
 96- **Automated cleanup**
 97  - Certain CI/CD processes or teardown scripts remove WAF resources during ephemeral environment shutdowns.
 98
 99If any deletion is inconsistent with normal operational patterns or performed by an unexpected principal, treat it as a potential defense-evasion attempt.
100
101### Response and remediation
102
103- **Containment**
104  - Immediately assess exposed applications. If feasible, apply temporary restrictive network controls (e.g., ALB security group tightening or CloudFront WAFv2 fallback rules).
105  - Revoke session tokens or access keys associated with suspicious actors.
106
107- **Restore protections**
108  - Recreate the deleted Web ACL using IaC definitions, backups, or previous configurations.
109  - Validate that logging and monitoring (WAF logs, CloudWatch alarms, SIEM ingestion) are correctly restored.
110
111- **Scope and impact analysis**
112  - Review CloudTrail for follow-on or preceding activity by the same actor:
113    - Rule modifications.
114    - IAM policy changes.
115    - Application configuration updates.
116    - API Gateway or ALB changes.
117  - Review application access logs for unusual requests following ACL removal.
118
119- **Hardening**
120  - Limit IAM permissions for `waf:DeleteWebACL`, `wafv2:DeleteWebACL`, and related actions to a small set of trusted roles.
121  - Enforce MFA for administrative access.
122  - Use AWS Config or Security Hub controls to detect unauthorized modifications to WAF resources.
123
124- **Post-incident improvements**
125  - Update change-management workflows to include required approvals for WAF modifications.
126  - Improve monitoring for other defense-evasion patterns such as disabling GuardDuty, CloudTrail, or logging.
127
128### Additional information
129
130- **DeleteWebACL API (WAF Classic & Regional):**  
131  https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html  
132- **DeleteWebACL API (WAFv2):**  
133  https://docs.aws.amazon.com/waf/latest/APIReference/API_DeleteWebACL.html  
134- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
135- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
136- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
137"""
138references = [
139    "https://docs.aws.amazon.com/waf/latest/APIReference/API_DeleteWebACL.html",
140    "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html",
141]
142risk_score = 47
143rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49"
144severity = "medium"
145tags = [
146    "Domain: Cloud",
147    "Data Source: AWS",
148    "Data Source: Amazon Web Services",
149    "Data Source: AWS WAF",
150    "Use Case: Network Security Monitoring",
151    "Tactic: Defense Evasion",
152    "Resources: Investigation Guide",
153]
154timestamp_override = "event.ingested"
155type = "query"
156
157query = '''
158event.dataset: aws.cloudtrail 
159    and event.provider: (waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com)
160    and event.action: DeleteWebACL 
161    and event.outcome: success
162'''
163
164
165[[rule.threat]]
166framework = "MITRE ATT&CK"
167[[rule.threat.technique]]
168id = "T1562"
169name = "Impair Defenses"
170reference = "https://attack.mitre.org/techniques/T1562/"
171[[rule.threat.technique.subtechnique]]
172id = "T1562.007"
173name = "Disable or Modify Cloud Firewall"
174reference = "https://attack.mitre.org/techniques/T1562/007/"
175
176
177
178[rule.threat.tactic]
179id = "TA0005"
180name = "Defense Evasion"
181reference = "https://attack.mitre.org/tactics/TA0005/"
182
183[rule.investigation_fields]
184field_names = [
185    "@timestamp",
186    "user.name",
187    "user_agent.original",
188    "source.ip",
189    "aws.cloudtrail.user_identity.arn",
190    "aws.cloudtrail.user_identity.type",
191    "aws.cloudtrail.user_identity.access_key_id",
192    "target.entity.id",
193    "event.action",
194    "event.outcome",
195    "cloud.account.id",
196    "cloud.region",
197    "aws.cloudtrail.request_parameters",
198]