
Summary
The AWS WAF Access Control List Deletion rule is designed to detect deletions of specific Web Application Firewall ACLs in an AWS environment. The rule triggers when it observes a successful delete action on an ACL, which could indicate unauthorized attempts to impair security defenses. It utilizes AWS CloudTrail logs and is operational within a production setting, with a risk score of 47 indicating a medium threat level. The investigation steps recommend querying CloudTrail logs for the delete action with user identity, time of deletion, and source IP checks to assess the validity of the change. False positives may arise from routine maintenance or known authorized activity, which should be whitelisted accordingly to reduce unnecessary alerts. Adequate response measures include immediate revocation of suspect credentials, restoration of any deleted ACLs, and tightening IAM policies to limit permissions on role actions for added security.
Categories
- Cloud
Data Sources
- Cloud Storage
- Network Traffic
ATT&CK Techniques
- T1562
- T1562.001
Created: 2020-05-21