AWS WAF enumeration
Description
AlphaSOC detected systematic enumeration of AWS Web Application Firewall (WAF) resources through API actions. This activity involves attempts to systematically gather information about WAF configurations, rule groups, web ACLs, and associated resources within the AWS account. Adversaries can query WAF settings to understand web application security controls, rule sets, and filtering mechanisms protecting AWS resources.
Impact
WAF enumeration can enable threat actors to identify security rule configurations, IP reputation lists, and rate limiting settings. This information aids adversaries in developing evasion techniques, bypass web application protection measures, and plan targeted attacks against protected resources.
Severity
| Severity | Condition |
|---|---|
Low | AWS WAF enumeration |
Investigation and Remediation
Examine CloudTrail logs to identify WAF-specific API calls along with source IP addresses, user agents, and IAM principals. Analyze the sequence and frequency of enumeration attempts to assess potential compromise. Implement least-privilege IAM policies restricting WAF resource access. Enable AWS Shield Advanced for DDoS protection monitoring and configure CloudWatch alarms for suspicious WAF API activity patterns.