AWS WAF Rule or Rule Group Deletion
Detection of AWS WAF rule or rule group deletions, which can weaken web application security and expose applications to various attacks.
This threat brief focuses on the deletion of AWS Web Application Firewall (WAF) rules or rule groups. AWS WAF rules and rule groups are essential for protecting web applications by filtering malicious HTTP requests, blocking known attack patterns, and enforcing access controls. The deletion of these rules, even temporarily, can expose applications to significant risks, including SQL injection, cross-site scripting, and credential stuffing. Threat actors with sufficient permissions may remove WAF protections as part of a defense evasion or impact strategy, with the goal of data theft or application compromise. The focus is on detecting successful DeleteRule or DeleteRuleGroup API calls within CloudTrail logs.
Attack Chain
- Initial Access: The attacker gains access to an AWS account with sufficient permissions to modify WAF configurations. This could be achieved through compromised credentials or an IAM role with excessive privileges.
- Privilege Escalation (Optional): If the initial access lacks the necessary permissions, the attacker may attempt to escalate privileges within the AWS environment, potentially exploiting misconfigured IAM policies.
- Discovery: The attacker enumerates existing WAF rules and rule groups within the targeted AWS account, identifying the rules that provide key protections for web applications.
- Defense Evasion: The attacker deletes a WAF rule or rule group using the
DeleteRuleorDeleteRuleGroupAPI call, effectively disabling the protections it provided. - Exploitation: With the WAF rule removed, the attacker exploits vulnerabilities in the web application that were previously protected by the rule. This could involve SQL injection, cross-site scripting, or other attack vectors.
- Data Exfiltration (Optional): If the exploitation is successful, the attacker may exfiltrate sensitive data from the compromised web application or its backend systems.
- Impact: The attacker achieves their objective, which could include data theft, application compromise, or denial of service.
Impact
Successful deletion of WAF rules can have significant consequences, potentially affecting numerous web applications and their users. The number of affected applications and users depends on the scope of the deleted rules and the criticality of the protected applications. If an attack succeeds, organizations may experience data breaches, financial losses, reputational damage, and regulatory fines.
Recommendation
- Enable AWS CloudTrail logging and monitor for
DeleteRuleandDeleteRuleGroupAPI calls to detect WAF rule deletions (reference: query in the source). - Implement the Sigma rule
AWS WAF Rule Deletionto identify suspicious WAF rule deletion activity (reference: Sigma rule below). - Implement the Sigma rule
AWS WAF Rule Group Deletionto identify suspicious WAF rule group deletion activity (reference: Sigma rule below). - Review IAM policies to ensure that only authorized users and roles have permissions to modify WAF configurations.
- Implement multi-factor authentication (MFA) for all AWS accounts, especially those with privileged access.
Detection coverage 2
AWS WAF Rule Deletion
mediumDetects deletion of AWS WAF Rules via CloudTrail logs.
AWS WAF Rule Group Deletion
mediumDetects deletion of AWS WAF Rule Groups via CloudTrail logs.
Detection queries are available on the platform. Get full rules →