Skip to content

DeleteWebACL

AWS

DeleteWebACL

service: AWS - WAFV2
techniques:

Event

Permanently deletes a WAF Web ACL used to protect web applications from common web threats.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.

Log Source

CloudTrail

Sample Event

Adversarial. Draco deletes the BILLYWIG public-edge Web ACL billywig-public-webacl. Without it associated to the ALB, the ALB falls back to no L7 protection, and his subsequent traffic isn’t filtered. T1685. Often the next step is DisassociateWebACL first, then DeleteWebACL — but the API permits direct delete if no association exists.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T19:02:11Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T20:11:55Z",
"eventSource": "wafv2.amazonaws.com",
"eventName": "DeleteWebACL",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"name": "billywig-public-webacl",
"scope": "REGIONAL",
"id": "60000000-0000-4000-8000-000100001100",
"lockToken": "b2c3d4e5-6789-01ab-cdef-2345678901bc"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000100001010",
"eventID": "90000000-0000-4000-8000-000100001011",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "wafv2.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...