AWS WAF API Key
Service Name: AWS WAF (Web Application Firewall)
Service Description: AWS WAF is a web application firewall that helps protect web applications from common web exploits and bots that could affect application availability, compromise security, or consume excessive resources.
Service Address: https://aws.amazon.com/waf/
Validation Type: API Auth
IP Allow list: IP Restriction is available per service using AWS WAF IP match conditions, Security Groups, or Network ACLs.
Secret Access Scope: Grants programmatic access to AWS WAF configuration, rules, and web ACLs. Allows creating, updating, and deleting WAF resources.
Secret Revokement URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey_CLIAPI
Secret Example: AKIAIOSFODNN7EXAMPLE (Access Key ID) with wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY (Secret Access Key)
Suspicious Activity Investigation Instructions:
- Review CloudTrail logs for unusual AWS WAF API calls or configuration changes
- Check for unauthorized rule modifications or web ACL changes
- Monitor for unexpected changes to rate-based rules or IP sets
- Look for unusual geographic origins of API calls to WAF resources
- Verify if there are any new or modified rules that might allow malicious traffic
Mitigation Instructions:
- Immediately rotate the compromised AWS access keys in the IAM console
- Create new access keys before deactivating the compromised ones
- Update all applications and services using the old keys with the new credentials
- Review and revert any unauthorized changes to WAF configurations
- Enable AWS CloudTrail logging if not already enabled to monitor WAF activity
- Implement the Principle of Least Privilege by creating IAM policies that restrict WAF permissions.
- Consider implementing AWS Organizations Service Control Policies to limit WAF actions.
- Enable multi-factor authentication for all users with WAF access.
- Set up AWS Config rules to monitor for unauthorized WAF configuration changes.