AWS EC2 Network Access Control List Deletion
The deletion of an Amazon EC2 network access control list (ACL) or its entries can indicate an attacker attempting to disable security controls for unauthorized access or data exfiltration.
This detection brief focuses on identifying the deletion of Amazon Elastic Compute Cloud (EC2) Network Access Control Lists (ACLs) or their ingress/egress entries. EC2 Network ACLs act as a firewall for controlling traffic to subnets. An attacker may delete these ACLs to evade defenses, enabling unauthorized access or data exfiltration. This activity is logged in AWS CloudTrail, providing an opportunity for detection. This rule specifically looks for DeleteNetworkAcl or DeleteNetworkAclEntry events with a successful outcome in CloudTrail logs. The scope of targeting is AWS environments utilizing EC2 and Network ACLs.
Attack Chain
- An attacker gains initial access to an AWS account, potentially through compromised credentials or an exploited IAM role.
- The attacker enumerates existing EC2 Network ACLs using AWS CLI or API calls to identify potential targets for disabling.
- The attacker identifies the target Network ACLs that control access to valuable resources or subnets.
- The attacker uses the
DeleteNetworkAclorDeleteNetworkAclEntryAPI calls via the AWS CLI, SDK, or Management Console to remove the identified ACLs or their specific rules. - AWS CloudTrail logs record the successful deletion of the Network ACL or ACL entry, including the user identity and source IP address.
- With the Network ACL removed, the targeted subnets are now exposed to broader network traffic, bypassing the intended security controls.
- The attacker exploits the now-unprotected subnet to gain unauthorized access to resources, systems, or data within the subnet.
- The attacker may then proceed with data exfiltration, lateral movement, or other malicious activities, leveraging the lack of network access controls.
Impact
Successful deletion of Network ACLs can lead to significant security breaches. Without ACLs, subnets are exposed to potentially malicious traffic, which could lead to unauthorized access, data breaches, or the deployment of malicious software. The number of affected subnets depends on the scope of the deleted ACLs. The impact could range from a single compromised application to a widespread network compromise.
Recommendation
- Deploy the provided Sigma rule to your SIEM to detect
DeleteNetworkAclorDeleteNetworkAclEntryevents in AWS CloudTrail logs. - Review AWS CloudTrail logs for suspicious activity around the time of detected ACL deletions, focusing on the user identity and source IP address (see the rule's investigation fields).
- Implement strict IAM policies following the principle of least privilege to restrict the ability to delete Network ACLs to authorized personnel only.
- Monitor AWS accounts for unusual activity, like creation of new IAM policies or roles that could grant excessive permissions.
- Enforce multi-factor authentication (MFA) for all AWS accounts, especially those with permissions to modify network configurations.
Detection coverage 2
AWS EC2 Network ACL Deletion Detected
mediumDetects the deletion of an AWS EC2 Network ACL or entry via CloudTrail logs.
AWS EC2 Network ACL Deletion by Unauthorized User
highDetects the deletion of an AWS EC2 Network ACL or entry by a user not in the allowed list.
Detection queries are available on the platform. Get full rules →