AWS Network Access Control List created or modified

cloudtrail

Classification:

compliance

Tactic:

Technique:

Framework:

cis-aws

Control:

4.11

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when an AWS Network Access Control List (NACL) has been created, deleted or modified.

Strategy

This rule lets you monitor CloudTrail and detect when an AWS NACL has been created, deleted or modified with one of the following API calls:

Triage and response

  1. Determine if the usr with arn: {{@userIdentity.arn}} should have used the API call: {{@evt.name}}.
  2. Contact the user and see if this API call was made by the user.
  3. If the API call was not made by the user:
    • Rotate the user credentials and investigate what other API calls.
    • Determine what other API calls the user made which were not made by the user.

Changelog

5 April 2022 - Updated Rule queries, cases and signal message.