AWS Network Access Control List Deletion Detected

This detection identifies the deletion of AWS Network Access Control Lists (ACLs) within an Amazon Web Services (AWS) environment. The activity is logged via AWS CloudTrail and analyzed using Amazon Security Lake (ASL). The deletion of network ACLs is a significant security event as it can effectively remove network segmentation and access control rules, potentially opening up cloud instances to unauthorized access. This analytic focuses on identifying successful DeleteNetworkAclEntry operations. Defenders should be aware of this activity, investigate any unexpected or unauthorized deletions, and validate that network security controls remain effective.

Attack Chain

1. An attacker gains initial access to an AWS account through compromised credentials or other means.
2. The attacker authenticates to the AWS environment and assumes a role with sufficient permissions to modify network ACLs.
3. The attacker uses the AWS API or CLI to identify the target network ACL.
4. The attacker issues a DeleteNetworkAclEntry API call to remove one or more entries from the ACL.
5. AWS CloudTrail logs the DeleteNetworkAclEntry event with a status of Success.
6. The attacker repeats steps 3-5 to remove additional ACL entries as needed.
7. The removed ACL entries create new network access paths, potentially allowing unauthorized access to resources.
8. The attacker exploits the newly opened access to compromise cloud instances, exfiltrate data, or establish persistence.

Impact

Successful deletion of network ACLs can significantly weaken an AWS environment’s security posture. If an attacker successfully deletes critical ACL entries, they can bypass existing network security controls, leading to unauthorized access to sensitive resources. This can result in data exfiltration, system compromise, and potential disruption of services. The impact can vary depending on the scope of the deleted ACL entries and the resources they protected.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect unauthorized AWS Network ACL deletions, focusing on the DeleteNetworkAclEntry operation.
• Investigate any detected instances of network ACL deletion by correlating with other security events and user activity to determine legitimacy.
• Review and validate AWS IAM policies to ensure that the principle of least privilege is enforced, minimizing the number of users and roles with permissions to modify network ACLs.
• Enable Amazon Security Lake and configure it to collect AWS CloudTrail logs to provide comprehensive visibility into AWS API activity.
• Monitor AWS CloudTrail logs for changes to other network security configurations, such as security groups and route tables.