Description:
AWS Web Application Firewall (WAF) helps to protect your web applications from common application-layer exploits that can affect the availability or consume excessive resources. AWS Application Load Balancer (ALB) – This load balancing option for the Elastic Load Balancing service runs at the application layer. It allows you to define routing rules that are based on content that can span multiple containers or EC2 instances. Application Load Balancers support HTTP/2 and WebSocket and give you additional visibility into the health of the target containers and instances
Rationale:
WAF allows you to use access control lists (ACLs), rules, and conditions that define acceptable or unacceptable requests or IP addresses. You can selectively allow or deny access to specific parts of your web application and you can also guard against various SQL injection attacks. If WAF is not attached to ALB it is prone to different attacks.
Impact:
WAF helps to protect applications that are running behind an Application Load Balancer. WAF can protect both internal and external applications and web services.
Default Value
By default, the load balancer is not attached to any WEB ACL
Prerequisites
Create an Application Load balancer
Create an AWS WAF ACL
Remediation
Test Plan
Login into the AWS management console.
open the ec2 console https://ap-south-1.console.aws.amazon.com/ec2/v2/home
In the navigation menu choose load balancing.
choose the application load balancer of your choice.
- In the Integrated Services option of the load balancer check in the AWS WAF Web ACL configuration to check whether any WAF ACL is attached or not.
Using AWS CLI:
aws wafv2
get-web-acl-for-resource
--resource-arn <value>
Implementation Steps:
Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/.
Click on Create Web ACL
Click on the Associated AWS resources tab
Click on Add AWS resources
Click on When prompted, choose the resource that you want to associate this web ACL with. If you choose an Amazon API Gateway REST API, an Application Load Balancer, or an AWS AppSync, specify a Region.
Click on Application Load Balancer which is already Created
Click on Add.
Using AWS CLI:
To associate the web ACL
aws waf-regional
associate-web-acl
--web-acl-arn <value>
--resource-arn <value>
Backout Plan:
Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/.
In the navigation pane, choose Web ACLs.
Choose the web ACL that you want to disassociate from your resource.
On the Associated AWS resources tab, deselect the resources that you want to disassociate this web ACL from.
Choose Save.
Using AWS CLI:
To Disassociate the services
aws wafv2 disassociate-web-acl \
--resource-arn <value>\
--region <value>
References:
https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/
https://docs.aws.amazon.com/cli/latest/reference/wafv2/get-web-acl-for-resource.html