Description
Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.
Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment and/or move laterally from the cloud control plane to the data plane.
For example, an adversary may use a script or utility that creates new ingress rules in existing security groups (or creates new security groups entirely) to allow any TCP/IP connectivity to a cloud-hosted instance. They may also remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Expel AWS)
Platforms
Mitigations (2)
AuditM1047
Routinely check account role permissions to ensure only expected users and roles have permission to modify cloud firewalls.
User Account ManagementM1018
Ensure least privilege principles are applied to Identity and Access Management (IAM) security policies.(Citation: Expel IO Evil in AWS)
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S1091 | Pacu | Tool | [Pacu](https://attack.mitre.org/software/S1091) can allowlist IP addresses in AWS GuardDuty.(Citation: GitHub Pacu) |
References
- Anthony Randazzo, Britton Manahan, Sam Lipton. (2020, April 28). Managed Detection & Response for AWS. Retrieved April 15, 2026.
- Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023.
Frequently Asked Questions
What is T1686.001 (Cloud Firewall)?
T1686.001 is a MITRE ATT&CK technique named 'Cloud Firewall'. It belongs to the Defense Impairment tactic(s). Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud environments typically utilize restrictive security groups and f...
How can T1686.001 be detected?
Detection of T1686.001 (Cloud Firewall) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1686.001?
There are 2 documented mitigations for T1686.001. Key mitigations include: Audit, User Account Management.
Which threat groups use T1686.001?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.