AWS WAF Access Control List Deletion

Last updated 24 days ago on 2025-12-08

Created 6 years ago on 2020-05-21

About

Identifies the deletion of an AWS Web Application Firewall (WAF) Web ACL. Web ACLs are the core enforcement objects in AWS WAF, defining which traffic is inspected, allowed, or blocked for protected applications. Deleting a Web ACL removes all associated rules, protections, and logging configurations. Adversaries who obtain sufficient privileges may delete a Web ACL to disable critical security controls, evade detection, or prepare for downstream attacks such as web-application compromise, data theft, or resource abuse. Because Web ACLs are rarely deleted outside of controlled maintenance or infrastructure updates, unexpected deletions may indicate potential defense evasion.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS WAFUse Case: Network Security MonitoringTactic: Defense EvasionLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

↳ Impair Defenses (T1562)(external, opens in a new tab or window)

False Positive Examples

Authorized administrators may delete Web ACLs as part of planned migrations, infrastructure refactoring, or automation-driven redeployments. Ensure the deletion aligns with approved change requests, maintenance windows, or known IaC workflows. Deletions performed by unfamiliar users, unusual identities, or unexpected automation should be investigated.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-aws.cloudtrail-*
Related Integrations: aws(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.dataset: aws.cloudtrail 
    and event.provider: (waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com)
    and event.action: DeleteWebACL 
    and event.outcome: success

Install detection rules in Elastic Security

Detect AWS WAF Access Control List Deletion in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).