Skip to main content

VPC Network Firewall Rule Changed

This alert occurs when Lacework detects a change to a firewall rule associated with a Virtual Private Cloud (VPC) network. This alert is triggered when a user creates, updates, or deletes a firewall rule in a VPC network.

Related policy: LW_AT_VPC_48: VPC Network Firewall Rule Changed

Why this alert is important

A firewall rule is a set of instructions defining how traffic flows in and out of a VPC network. Firewall rules can be configured to allow or deny specific types of traffic based on criteria such as IP addresses, protocols, and ports.

Changes to firewall rules can significantly impact the security and functionality of a VPC network. For example, a malicious actor could modify a firewall rule to allow unauthorized access to sensitive resources, or a misconfigured rule could block legitimate traffic and disrupt application functionality.

Investigation

Follow these steps to investigate the alert:

  1. Check the Audit Logs for information about firewall rule changes, including who, when, and what changes were made.
  2. Review the current state of firewall rules to identify any unauthorized or suspicious changes. Check for new rules that were absent before or changes to existing rules that could have unintended consequences.
  3. Determine which resources may have been affected by the malicious change, such as instances or load balancers. List affected resources and prioritize them based on their criticality and sensitivity.
  4. Determine if any sensitive data or resources were exposed or compromised due to the changes.
  5. Determine the incident's root cause by reviewing the Audit Logs and any other relevant data. Consider factors such as who made the changes, whether they were authorized to make the changes, and what their motivation might have been.

Resolution

If you discover an unauthorized change in the VPC network firewall rule, take the following steps to resolve the issue:

  1. Immediately remove any unauthorized firewall rules to prevent further unauthorized access to your resources.
  2. If you have a backup of your firewall rules, you can revert to a known good state. This will ensure that any unauthorized changes are removed, and the firewall rules are configured correctly.
  3. Review your security controls to identify areas where you can improve your security posture. This may include implementing stricter access controls, more frequent monitoring, and multi-factor authentication.
  4. Ensure that your team is aware of the incident and the steps that need to be taken to prevent future incidents. This may include providing additional training on security best practices, such as password management and access control.
  5. Implement a monitoring solution to detect and alert you to any future unauthorized changes to your firewall rules. This will help you detect and respond to any future incidents promptly.