Unexpected AWS API calls indicating WAF disassociation
Description
AlphaSOC detected that an AWS Web Application Firewall (WAF) was removed or detached from a resource. This action could potentially expose web applications to various threats and attacks as AWS WAF is a security layer that helps protect web applications from common exploits. Its removal may indicate an attempt to bypass security controls, potentially as part of a larger attack strategy.
Impact
Removing or detaching an AWS WAF can reduce the security posture of web applications. Without this protective layer, applications can become vulnerable to various attacks. This could lead to data breaches, service disruptions, or unauthorized access to sensitive information.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Investigate the circumstances surrounding the WAF removal or detachment, including the user behind it. Review AWS CloudTrail logs to identify the specific API calls made. If the removal or detachment was unauthorized, immediately reattach or reconfigure the WAF. Conduct a thorough security assessment of the affected resources to ensure no compromise occurred.