Skip to content

AWS WAF API Key

Service Name: AWS WAF (Web Application Firewall)

Service Description: AWS WAF is a web application firewall that helps protect web applications from common web exploits and bots that could affect application availability, compromise security, or consume excessive resources.

Service Address: https://aws.amazon.com/waf/

Validation Type: API Auth

IP Allow list: IP Restriction is available per service using AWS WAF IP match conditions, Security Groups, or Network ACLs.

Secret Access Scope: Grants programmatic access to AWS WAF configuration, rules, and web ACLs. Allows creating, updating, and deleting WAF resources.

Secret Revokement URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey_CLIAPI

Secret Example: AKIAIOSFODNN7EXAMPLE (Access Key ID) with wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY (Secret Access Key)

Suspicious Activity Investigation Instructions:

  • Review CloudTrail logs for unusual AWS WAF API calls or configuration changes
  • Check for unauthorized rule modifications or web ACL changes
  • Monitor for unexpected changes to rate-based rules or IP sets
  • Look for unusual geographic origins of API calls to WAF resources
  • Verify if there are any new or modified rules that might allow malicious traffic

Mitigation Instructions:

  • Immediately rotate the compromised AWS access keys in the IAM console
  • Create new access keys before deactivating the compromised ones
  • Update all applications and services using the old keys with the new credentials
  • Review and revert any unauthorized changes to WAF configurations
  • Enable AWS CloudTrail logging if not already enabled to monitor WAF activity
  • Implement the Principle of Least Privilege by creating IAM policies that restrict WAF permissions.
  • Consider implementing AWS Organizations Service Control Policies to limit WAF actions.
  • Enable multi-factor authentication for all users with WAF access.
  • Set up AWS Config rules to monitor for unauthorized WAF configuration changes.