Profile Applicability

  • Level 2

Description

A Web Access Control List (WebACL) in AWS WAF Classic is used to define rules or rule groups that filter and control web traffic to your resources. Ensuring that a WebACL has at least one rule or rule group is critical for protecting your applications from malicious requests, such as SQL injection or cross-site scripting (XSS) attacks.

Rationale

  • Enhanced Security: Protects web applications by filtering malicious traffic.

  • Risk Mitigation: Reduces the risk of vulnerabilities being exploited.

  • Compliance: Aligns with security best practices for web application protection.

Impact

Pros:

  • Provides a layer of security for web applications.

  • Blocks or allows traffic based on defined rules or rule groups.

  • Improves compliance with security standards.

Cons:

  • Requires proper configuration and maintenance of rules or rule groups.

  • May introduce complexity if rules are not well-defined.

Default Value

By default, a WebACL may not have any rules or rule groups. Rules or rule groups must be explicitly added during or after WebACL creation.

Pre-Requisite

IAM Permissions Required:

  • waf:ListWebACLs

  • waf:GetWebACL

  • waf:UpdateWebACL

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS WAF Classic > WebACLs.

  3. Select the WebACL to review its configuration.

  4. Verify if at least one rule or rule group is associated with the WebACL.

Using AWS CLI:

  1. List all WebACLs:

    aws waf list-web-acls

  2. Retrieve the details of a specific WebACL:

    aws waf get-web-acl --web-acl-id <web-acl-id>

  3. Check the Rules field in the output. Ensure it contains at least one rule or rule group.

Implementation Plan:

Using AWS Console:

  1. Open the AWS WAF & Shield Console and navigate to WebACLs.

  2. Select the Global WebACL that you want to configure.

  3. Under the Rules section, ensure that at least one rule or rule group is added.

  4. If no rules are present, click Edit and either add an individual rule or choose a Rule Group to include.

  5. Save the changes and verify that the WebACL now contains at least one rule or rule group.

Using AWS CLI:

  1. To add a rule or rule group to an existing WebACL, run:

    aws waf update-web-acl --web-acl-id <WEB_ACL_ID> --add-rules '[

  {
    "Action": "ALLOW",
    "Priority": 1,
    "RuleId": "<RULE_ID>"
  }

]'

  2. Verify that the WebACL now contains at least one rule:

    aws waf get-web-acl --web-acl-id <WEB_ACL_ID>


Backout Plan:

Using AWS Console:

  1. If the configuration causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS WAF & Shield, select the Global WebACL, and remove or modify the rule.

  3. Save the changes and verify that the WebACL now functions as intended.

Using AWS CLI:

  1. To remove a rule from a WebACL, run:

    aws waf update-web-acl --web-acl-id <WEB_ACL_ID> --remove-rules '[
  {
    "RuleId": "<RULE_ID>"
  }
]'

  1. Verify that the rule has been removed:

    aws waf get-web-acl --web-acl-id <WEB_ACL_ID>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure that AWS WAF Classic Global WebACLs have at least one rule or rule group configured to protect web applications from threats.

7.1

8.1

Enable WAF rules for Global WebACLs to monitor and protect web applications from common vulnerabilities and attacks.