AWS WAF control list modified
Description
AlphaSOC detected changes to an Amazon Web Application Firewall (WAF) control list. AWS WAF protects web applications from common web exploits by filtering and monitoring HTTP/HTTPS traffic based on customizable rules. Modifications to these rules may alter security controls and potentially allow unwanted traffic to reach protected resources.
Impact
Unauthorized changes to WAF rules can weaken security controls, potentially allowing malicious traffic to reach protected applications. Adversaries may modify rules to permit previously blocked IP addresses, disable rate limiting protections, or allow specific harmful request patterns. Such changes can compromise security measures like geo-blocking and input validation filters, potentially enabling reconnaissance activities, exploitation attempts, or application-layer attacks.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review the AWS CloudTrail logs to identify the specific user, time, and source of the WAF configuration change. Compare the modified WAF configuration with your previous baseline to determine the exact changes made and assess their potential impact. If the change was unauthorized, restore the previous configuration and review IAM permissions to limit who can modify WAF settings.