legitimate use of acls to enable customer and staff access from the public internet into a public vpc

t1190
aws
sigma

Techniques

t1190

Sample rules

New Network ACL Entry Added

source: sigma
technicques:
- t1190

Description

Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.

Detection logic

condition: selection
selection:
  eventName: CreateNetworkAclEntry
  eventSource: ec2.amazonaws.com