Skip to main content

Unexpected AWS API calls indicating WAF disassociation

ID:aws_waf_disassociation_anomaly
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0005:T1562.007

Description

AlphaSOC detected that an AWS Web Application Firewall (WAF) was removed or detached from a resource. This action could potentially expose web applications to various threats and attacks as AWS WAF is a security layer that helps protect web applications from common exploits. Its removal may indicate an attempt to bypass security controls, potentially as part of a larger attack strategy.

Impact

Removing or detaching an AWS WAF can reduce the security posture of web applications. Without this protective layer, applications can become vulnerable to various attacks. This could lead to data breaches, service disruptions, or unauthorized access to sensitive information.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Investigate the circumstances surrounding the WAF removal or detachment, including the user behind it. Review AWS CloudTrail logs to identify the specific API calls made. If the removal or detachment was unauthorized, immediately reattach or reconfigure the WAF. Conduct a thorough security assessment of the affected resources to ensure no compromise occurred.