Profile Applicability

  • Level 2

Description

A rule in AWS WAF Classic specifies conditions to filter and manage web traffic, such as IP match, SQL injection match, size constraints, and others. Each rule must have at least one condition to define its functionality. Without conditions, the rule cannot provide any security or traffic filtering benefit.

Rationale

  • Enhanced Security: Defines specific filtering logic for incoming web requests.

  • Risk Mitigation: Reduces the chance of malicious traffic bypassing protections.

  • Compliance: Aligns with best practices for application-layer security.

Impact

Pros:

  • Implements fine-grained traffic filtering for web applications.

  • Blocks harmful requests and secures your application resources.

  • Enhances compliance with security standards.

Cons:

  • Requires careful design and testing of rules to avoid blocking legitimate traffic.

  • Additional configuration may be needed for more complex conditions.

Default Value

Rules in WAF Classic can exist without conditions, requiring explicit configuration to define them.

Pre-Requisite

IAM Permissions Required:

  • waf:ListRules

  • waf:GetRule

  • waf:UpdateRule

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS WAF Classic > Rules.

  3. Select a rule to review its configuration.

  4. Check if the rule has at least one condition defined.

Using AWS CLI:

  1. List all rules:

    aws waf list-rules

  2. Retrieve details of a specific rule:

    aws waf get-rule --rule-id <rule-id>

  3. Inspect the Predicates field in the output. Ensure it includes at least one condition.

Implementation Steps:

Using AWS Console:

  1. Navigate to AWS WAF Classic > Rules.

  2. Select the rule to update.

  3. Add one or more conditions, such as IP match condition, size constraint, or cross-site scripting condition.

  4. Save the updated rule configuration.

Using AWS CLI:

  1. Add a condition to the rule:

    aws waf update-rule \
--rule-id <rule-id> \
--updates Action=INSERT,Predicate={Negated=false,Type=<condition-type>,DataId=<condition-id>}

  1. Verify the updated configuration:

    aws waf get-rule --rule-id <rule-id>

Backout Plan

Using AWS Console:

  1. If adding conditions causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS WAF & Shield, select the Regional rule, and go to the Coditions section.

  3. Remove or modify the conditions as needed.

  4. Save the changes and verify that the rule is functioning as intended.

Using AWS CLI:

  1. To remove a condition from the rule, run:

    aws waf update-rule --rule-id <RULE_ID> --conditions '[{"Type": "IPMatch", "Data": {"Value": "203.0.113.0/24"}}]'

  2. Verify the updated rule:

    aws waf get-rule --rule-id <RULE_ID>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.