AWS EC2 Network Access Control List Creation

  1[metadata]
  2creation_date = "2020/06/04"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network
 11ACL with a specified rule number.
 12"""
 13false_positives = [
 14    """
 15    Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or
 16    hostname should be making changes in your environment. Network ACL creations by unfamiliar users or hosts should be
 17    investigated. If known behavior is causing false positives, it can be exempted from the rule.
 18    """,
 19]
 20from = "now-60m"
 21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 22interval = "10m"
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "AWS EC2 Network Access Control List Creation"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating AWS EC2 Network Access Control List Creation
 32
 33AWS EC2 Network ACLs are stateless firewalls for controlling inbound and outbound traffic at the subnet level. Adversaries may exploit ACLs to establish persistence or exfiltrate data by creating permissive rules. The detection rule monitors successful creation events of ACLs or entries, flagging potential unauthorized modifications that align with persistence tactics, aiding in early threat identification.
 34
 35### Possible investigation steps
 36
 37- Review the CloudTrail logs for the specific event.dataset:aws.cloudtrail entries to identify the user or role (event.user) that initiated the CreateNetworkAcl or CreateNetworkAclEntry actions.
 38- Examine the event.provider:ec2.amazonaws.com logs to determine the IP addresses and locations associated with the request to assess if they are expected or suspicious.
 39- Check the event.action details to understand the specific rules created in the Network ACL, focusing on any overly permissive rules that could indicate a security risk.
 40- Investigate the event.outcome:success entries to confirm the successful creation of the ACL or ACL entry and correlate with any other suspicious activities in the AWS environment.
 41- Cross-reference the event with other security alerts or logs to identify any patterns or anomalies that could suggest malicious intent or unauthorized access.
 42- Assess the impact of the new ACL rules on the network security posture, ensuring they do not inadvertently allow unauthorized access or data exfiltration.
 43
 44### False positive analysis
 45
 46- Routine infrastructure updates or deployments may trigger the creation of new network ACLs or entries. To manage this, establish a baseline of expected changes during scheduled maintenance windows and exclude these from alerts.
 47- Automated scripts or infrastructure-as-code tools like Terraform or CloudFormation can create network ACLs as part of normal operations. Identify and whitelist these automated processes to prevent unnecessary alerts.
 48- Changes made by trusted administrators or security teams for legitimate purposes can be mistaken for suspicious activity. Implement a process to log and review approved changes, allowing you to exclude these from detection.
 49- Temporary ACLs created for troubleshooting or testing purposes can generate alerts. Document and track these activities, and use tags or naming conventions to easily identify and exclude them from monitoring.
 50- Third-party services or integrations that require specific network configurations might create ACLs. Review and validate these services, and if deemed safe, add them to an exception list to reduce false positives.
 51
 52### Response and remediation
 53
 54- Immediately review the AWS CloudTrail logs to confirm the creation of the Network ACL or entry and identify the IAM user or role responsible for the action. This helps determine if the action was authorized or potentially malicious.
 55- Revoke any suspicious or unauthorized IAM credentials associated with the creation of the Network ACL or entry to prevent further unauthorized access.
 56- Modify or delete the newly created Network ACL or entry if it is determined to be unauthorized or overly permissive, ensuring that it aligns with your organization's security policies.
 57- Conduct a security review of the affected AWS environment to identify any other unauthorized changes or indicators of compromise, focusing on persistence mechanisms.
 58- Implement additional monitoring and alerting for changes to Network ACLs and other critical AWS resources to enhance detection of similar threats in the future.
 59- Escalate the incident to the security operations team or incident response team for further investigation and to determine if additional containment or remediation actions are necessary.
 60- Review and update IAM policies and permissions to ensure the principle of least privilege is enforced, reducing the risk of unauthorized changes to network configurations.
 61
 62## Setup
 63
 64The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 65references = [
 66    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html",
 67    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html",
 68    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html",
 69    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html",
 70]
 71risk_score = 21
 72rule_id = "39144f38-5284-4f8e-a2ae-e3fd628d90b0"
 73severity = "low"
 74tags = [
 75    "Domain: Cloud",
 76    "Data Source: AWS",
 77    "Data Source: Amazon Web Services",
 78    "Data Source: AWS EC2",
 79    "Use Case: Network Security Monitoring",
 80    "Tactic: Persistence",
 81    "Resources: Investigation Guide",
 82]
 83timestamp_override = "event.ingested"
 84type = "query"
 85
 86query = '''
 87event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success
 88'''
 89
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1133"
 95name = "External Remote Services"
 96reference = "https://attack.mitre.org/techniques/T1133/"
 97
 98
 99[rule.threat.tactic]
100id = "TA0003"
101name = "Persistence"
102reference = "https://attack.mitre.org/tactics/TA0003/"