🚀Launch Week 09, June 30th - July 4th, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-aws-cloudtrail-log-detections
Overview
4Dashboards
86Benchmarks
96Queries
1Variables
GitHub

Detection: WAF Web ACL Disassociated from CloudFront Distribution

Overview

Detect when a Web Application Firewall (WAF) ACL was disassociated from an Amazon CloudFront distribution. Disassociating a WAF ACL removes protections against threats like SQL injection and cross-site scripting (XSS), exposing the distribution to potential attacks. Maintaining WAF ACL associations is critical to securing the CloudFront distribution and mitigating threats.

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_cloudtrail_log_detections.detection.waf_web_acl_disassociated_from_cloudfront_distribution

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_cloudtrail_log_detections.detection.waf_web_acl_disassociated_from_cloudfront_distribution --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
  string_split(event_source, '.') [ 1 ] || ':' || event_name as operation,
  request_parameters ->> 'resourceArn' as resource,
  user_identity.arn as actor,
  tp_source_ip as source_ip,
  tp_index as account_id,
  aws_region as region,
  tp_id as source_id,
  *
from
  aws_cloudtrail_log
where
  event_source = 'wafv2.amazonaws.com'
  and event_name = 'DisassociateWebACL'
  and (request_parameters ->> 'resourceArn') like '%cloudfront::%:distribution/%'
  and error_code is null
order by
  event_time desc;

Tags

category = Detections
folder = WAF
mitre_attack_ids = TA0005:T1562.001
plugin = aws
service = AWS/WAF