Description:

AWS Web Application Firewall (WAF) helps to protect your web applications from common application-layer exploits that can affect the availability or consume excessive resources. AWS Application Load Balancer (ALB) – This load balancing option for the Elastic Load Balancing service runs at the application layer. It allows you to define routing rules that are based on content that can span multiple containers or EC2 instances. Application Load Balancers support HTTP/2 and WebSocket and give you additional visibility into the health of the target containers and instances 


Rationale:

WAF allows you to use access control lists (ACLs), rules, and conditions that define acceptable or unacceptable requests or IP addresses. You can selectively allow or deny access to specific parts of your web application and you can also guard against various SQL injection attacks.  If WAF is not attached to ALB it is prone to different attacks.


Impact:

WAF helps to protect applications that are running behind an Application Load Balancer. WAF can protect both internal and external applications and web services.


Default Value

By default, the load balancer is not attached to any WEB ACL

Prerequisites

  • Create an Application Load balancer

  • Create an AWS WAF ACL


Remediation

Test Plan


  • choose the application load balancer of your choice.

  • In the Integrated Services option of the load balancer check in the AWS WAF Web ACL configuration to check whether any WAF ACL is attached or not. 



Using AWS CLI:

aws wafv2 
get-web-acl-for-resource
--resource-arn <value>


Implementation Steps:

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/.

  2. Click on Create Web ACL

  3. Click on the Associated AWS resources tab

  4.  Click on Add AWS resources


  5. Click on When prompted, choose the resource that you want to associate this web ACL with. If you choose an Amazon API Gateway REST API, an Application Load Balancer, or an AWS AppSync,  specify a Region. 

  6. Click on Application Load Balancer which is already Created 

  7. Click on Add.  


Using AWS CLI:

To associate the web ACL

aws waf-regional 
associate-web-acl
--web-acl-arn <value>
--resource-arn <value>


Backout Plan:

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/.

  2. In the navigation pane, choose Web ACLs.

  3. Choose the web ACL that you want to disassociate from your resource.

  4. On the Associated AWS resources tab, deselect the resources that you want to disassociate this web ACL from.

  5. Choose Save. 


Using AWS CLI:

To Disassociate the services