Description:

AWS Web Application Firewall (WAF) protect your web application from common application-layer exploits that can affect the availability or consume excessive resources, It also allows you to use access control list (ACLs) rules, and conditions that define acceptable or unacceptable requests or IP addresses. Access your specific parts of your web application gives a facility to allow or deny WAF can also guard against various SQL injection attacks.

AWS Application Load Balancer(ALB) option for the Elastic Load Balancing service runs at the application layer. It allows you to define routing rules that are based on content that can span multiple containers or EC2 instances. It also supports HTTP/2 and WebSocket and gives you additional visibility into the health of the target containers and instances.


Rationale:

WAF can help to protect applications that are running behind an Application Load Balancer. To protect both internal and external applications and web services we can set this.

This policy checks if Web Application Firewall (WAF) is enabled on Application Load Balancers (ALBs). This rule is NON_COMPLIANT if key: waf. enabled is set to false.


Impact:

It protects the websites and web services. It also protects from SQL injection attack DDoS attacks. It protects your web application from malicious requests at the ALB.


Default Value:

By default, WAF is not associated with any ALB.


Pre-Requisite:

  1. You should have ALB and also already created a WAF in your AWS account.


Remediation:


Test Plan:

Step 1: Log in to the AWS Management Console

Step 2: Go to AWS WAF console at https://console.aws.amazon.com/wafv2

Step 3: Click on Web ACLs in the left navigation pane

Step 4: Select wed ACL to audit

Step 5: Go to the Associated AWS resources tab

We can check here any alb associated or not if it is not associated it means WAF is not enabled on ALB and the rule non-compliance.


Using AWS CLI:

To retrieve the web ACL that's associated with an AWS resource

aws wafv2 get-web-acl-for-resource \
    --resource-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/waf-cli-alb/1ea17125f8b25a2a


Implementation Steps:

  1. Login into the AWS Management Console
  2. Go to AWS WAF console at https://console.aws.amazon.com/wafv2
  3. Click on Web ACLs in the left navigation pane
  4. Choose Web ACL to associate the ALB
  5. Go to the Associated AWS resources tab
  6.  Click on Add AWS resources button
  7. In the Add AWS resources select Resource type Application Load Balancer and then select alb and click on save button 


Via CLI:

To associate a web ACL with a regional AWS resource

aws wafv2 associate-web-acl \
    --web-acl-arn arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-cli/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
    --resource-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/waf-cli-alb/1ea17125f8b25a2a \
    --region us-west-2


Backout Plan:

Step 1: Login into the AWS Management Console and go to AWS WAF console at https://console.aws.amazon.com/wafv2

Step 2: Click on Web ACLs in the left navigation pane

Step 3: To associate the ALB choose Web ACL.

Step 4: Go to the Associated AWS resources tab 

Step 5: Click on Disassociate button

Step 6: Type remove in the text box and click on Disassociate button


Using AWS CLI:

To disassociate a web ACL from a regional AWS resource

aws wafv2 disassociate-web-acl \
    --resource-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/waf-cli-alb/1ea17125f8b25a2a \
    --region us-west-2


Reference:

  1. alb-waf-enabled - AWS Config 

  2. https://aws.amazon.com/about-aws/whats-new/2016/12/AWS-WAF-now-available-on-Application-Load-Balancer/

  3. wafv2 — AWS CLI 1.20.8 Command Reference