Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in Disable or Modify System Firewall.
Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment and/or move laterally from the cloud control plane to the data plane. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups (or creates new security groups entirely) to allow any TCP/IP connectivity to a cloud-hosted instance.[1] They may also remove networking limitations to support traffic associated with malicious activity (such as cryptomining).[2][1]
Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. It may also be used to open up resources for Brute Force or Endpoint Denial of Service.
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Routinely check account role permissions to ensure only expected users and roles have permission to modify cloud firewalls. |
| M1018 | User Account Management |
Ensure least privilege principles are applied to Identity and Access Management (IAM) security policies.[2] |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0424 | Detection Strategy for Disable or Modify Cloud Firewall | AN1188 |
Creation, deletion, or modification of security groups and firewall rules in cloud control plane logs that expand access to cloud resources beyond expected baselines. Defender view: unexpected ingress/egress rules permitting 0.0.0.0/0 or opening atypical ports, often correlated with privileged role or API key activity. |