Profile Applicability:

  • Level 2

Description:
AWS WAF Classic is a web application firewall that helps protect your web applications from common web exploits. WAF Classic Regional rule groups consist of rules that define conditions such as IP addresses, query strings, URIs, headers, and request body data to inspect and filter traffic to web applications. It is essential to ensure that at least one rule is configured in each Regional rule group to provide protection against malicious web traffic.

Rationale:
Having at least one rule configured in each AWS WAF Classic Regional rule group is crucial for providing security to the web applications. Without rules, the WAF will not be able to block or filter malicious traffic, leaving your application vulnerable to web attacks such as SQL injection, cross-site scripting (XSS), and other common threats. Configuring at least one rule ensures that traffic is inspected, and unwanted or harmful requests are blocked.

Impact:
 Pros:

  • Provides protection to your web applications by inspecting traffic and blocking malicious requests.

  • Helps ensure compliance with security and regulatory standards.

  • Allows for customizable traffic filtering based on application needs.

  • Increases the overall security of the application by preventing common attacks.

Cons:

  • Misconfigured rules may block legitimate traffic or cause application disruptions.

  • Requires ongoing monitoring and updating of rules to adapt to evolving web threats.

Default Value:
By default, AWS WAF Classic does not create any rules in a Regional rule group. Rules must be manually configured to inspect and block traffic.

Pre-requisites:

  • AWS IAM permissions to manage AWS WAF rules and rule groups:
     wafv2:ListWebACLs
     wafv2:GetRuleGroup
     wafv2:ListRules
     wafv2:CreateRuleGroup

  • Access to the AWS WAF Classic configuration to check rule groups and their rules.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS WAF & Shield.

  3. In the left-hand menu, select Rule groups under the Web ACLs section.

  4. Check if there is at least one rule configured in each Regional rule group. If no rules are configured, click on the rule group and configure at least one rule to inspect traffic.

  5. If no rules exist, click Create rule and define the conditions for blocking or allowing traffic based on factors like IP addresses, headers, or URI paths.

  6. Save the configuration and ensure that the rule group is active with at least one rule.

Using AWS CLI:

  1. List all rule groups in AWS WAF Classic:

    aws waf-regional list-rule-groups

  2. For each rule group, check if there are any rules:

    aws waf-regional get-rule-group --rule-group-id <RULE_GROUP_ID>

  3. This will provide details about the rule group. Look for the Rules section to verify if there are any rules configured.

  4. If no rules are configured, create a new rule group with at least one rule:

    aws waf-regional create-rule-group --name <RULE_GROUP_NAME> --metric-name <METRIC_NAME> --rules '[{"Action":{"Type":"ALLOW"},"Priority":1,"RuleId":"<RULE_ID>","MatchPredicates":[{"DataId":"<DATA_ID>","Negated":false}]}]'

  5. Replace the placeholders with the appropriate values for your rule group.

  6. Verify the updated rule group:

    aws waf-regional get-rule-group --rule-group-id <RULE_GROUP_ID>

Implementation Plan:

Using AWS Console:

  1. Open the AWS WAF Console and select Rule groups.

  2. Click Create rule group or select an existing rule group.

  3. Add at least one rule to the rule group, specifying the desired conditions (e.g., IP match, URI path, or header).

  4. Save the changes and ensure that the rule group is configured with at least one active rule.

Using AWS CLI:

  1. To create a new rule group with at least one rule, use:

    aws waf-regional create-rule-group --name <RULE_GROUP_NAME> --metric-name <METRIC_NAME> --rules '[{"Action":{"Type":"ALLOW"},"Priority":1,"RuleId":"<RULE_ID>","MatchPredicates":[{"DataId":"<DATA_ID>","Negated":false}]}]'

  2. Verify that the rule group contains at least one rule:

    aws waf-regional get-rule-group --rule-group-id <RULE_GROUP_ID>

Backout Plan: 

Using AWS Console:

  1. If the rule group causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS WAF & Shield, select the Regional rule group, and remove or modify the rule.

  3. Save the changes and verify that the rule group no longer contains the problematic rule.

Using AWS CLI:

  1. To remove a rule from the rule group, run:

    aws waf update-rule-group --rule-group-id <RULE_GROUP_ID> --update-rules <REMOVE_RULES_JSON_FILE>

  2. Verify that the rule has been removed:

    aws waf get-rule-group --rule-group-id <RULE_GROUP_ID>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure AWS WAF Classic Regional rule groups have at least one rule to inspect and filter malicious traffic.

7.1

8.1

Configure AWS WAF rules to protect web applications from common attacks by ensuring that at least one rule exists in the Regional rule group.