Profile Applicability

  • Level 2

Description

A rule group in AWS WAF Classic is a reusable set of rules that can be applied to WebACLs. Ensuring that each rule group contains at least one rule is essential for defining traffic filtering logic. Without any rules, the rule group cannot enforce any security measures, leaving your resources unprotected.

Rationale

  • Enhanced Security: Ensures that rule groups enforce traffic filtering logic.

  • Risk Mitigation: Reduces the risk of malicious traffic bypassing security measures.

  • Compliance: Aligns with best practices for web application security.

Impact

Pros:

  • Implements security logic to protect web applications.

  • Allows targeted filtering of traffic based on specific rules.

  • Improves compliance with security policies.

Cons:

  • Requires careful design of rules to avoid blocking legitimate traffic.

  • Additional configuration and maintenance may be needed for complex rules.

Default Value

By default, rule groups may exist without any rules. Rules must be explicitly added to define filtering logic.

Pre-Requisite

IAM Permissions Required:

  • waf:ListRuleGroups

  • waf:GetRuleGroup

  • waf:UpdateRuleGroup

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS WAF Classic > Rule Groups.

  3. Select a rule group to view its configuration.

  4. Verify if the rule group includes at least one rule.

Using AWS CLI:

  1. List all rule groups:

    aws waf list-rule-groups

  2. Retrieve details of a specific rule group:

    aws waf get-rule-group --rule-group-id <rule-group-id>

  3. Check the Rules field in the output. Ensure it contains at least one rule.

Implementation Steps:

Using AWS Console:

  1. Navigate to AWS WAF Classic > Rule Groups.

  2. Select the rule group to update.

  3. Add one or more rules to the rule group by specifying the desired conditions (e.g., IP match, string match, or regex match).

  4. Save the updated rule group configuration.

Using AWS CLI:

  1. Add a rule to the rule group:

    aws waf update-rule-group \
--rule-group-id <rule-group-id> \
--updates Action=INSERT,ActivatedRule={Priority=1,RuleId=<rule-id>,Action={Type=BLOCK}}

  1. Verify the updated configuration:

    aws waf get-rule-group --rule-group-id <rule-group-id>

Backout Plan

Using AWS Console:

  1. If adding a rule causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS WAF & Shield, select the Global Rule Group, and go to the Rules section.

  3. Remove or modify the rule as necessary.

  4. Save the changes and verify that the rule group is functioning correctly.

Using AWS CLI:

  1. To remove a rule from a Global Rule Group, run:

    aws waf update-rule-group --rule-group-id <RULE_GROUP_ID> --remove-rules '[{
  "RuleId": "<RULE_ID>"
}]'

  1. Verify that the rule has been removed:

    aws waf get-rule-group --rule-group-id <RULE_GROUP_ID>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.