Detection: WAF Web ACL Disassociated from CloudFront Distribution
Overview
Detect when a Web Application Firewall (WAF) ACL was disassociated from an Amazon CloudFront distribution. Disassociating a WAF ACL removes protections against threats like SQL injection and cross-site scripting (XSS), exposing the distribution to potential attacks. Maintaining WAF ACL associations is critical to securing the CloudFront distribution and mitigating threats.
References:
Usage
Run the detection in your terminal:
powerpipe detection run aws_cloudtrail_log_detections.detection.waf_web_acl_disassociated_from_cloudfront_distributionSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run aws_cloudtrail_log_detections.detection.waf_web_acl_disassociated_from_cloudfront_distribution --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,string_split(event_source, '.')[1] || ':' || event_name as operation,request_parameters ->> 'resourceArn' as resource,user_identity.arn as actor,tp_source_ip as source_ip,tp_index as account_id,aws_region as region,tp_id as source_id,*
from aws_cloudtrail_logwhere event_source = 'wafv2.amazonaws.com' and event_name = 'DisassociateWebACL' and (request_parameters ->> 'resourceArn') like '%cloudfront::%:distribution/%' and error_code is null
order by event_time desc;