AWS Network Access Control List Deleted

Description

Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the CloudTrail logs to detect users deleting network ACLs.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Cloud Security, SaaS

Alert Volume

Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the CloudTrail logs to detect users deleting network ACLs.

SPL Difficulty

None

Journey

Stage 3

Kill Chain Phases

Actions On Objectives

Data Sources

AWS
Audit Trail

   Help

AWS Network Access Control List Deleted Help

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.

   Search

Open in Search