Profile Applicability

  • Level 2

Description

A rule in AWS WAF Classic specifies criteria, called conditions, to filter web requests, such as IP match conditions, size constraints, SQL injection match conditions, and others. Ensuring each rule includes at least one condition helps enforce filtering logic that protects your resources from malicious requests or unauthorized access.

Rationale

  • Enhanced Security: Defines criteria to filter traffic based on specific conditions.

  • Risk Mitigation: Reduces the chance of allowing harmful requests to pass through.

  • Compliance: Aligns with industry best practices for web application security.

Impact

Pros:

  • Implements security logic to protect web applications.

  • Allows targeted filtering of traffic based on specific conditions.

  • Improves compliance with security policies.

Cons:

  • Requires careful design of rules to avoid blocking legitimate traffic.

  • Additional configuration and maintenance may be needed for complex conditions.

Default Value

By default, rules may exist without any conditions. Conditions must be explicitly added to define filtering logic.

Pre-Requisite

IAM Permissions Required:

  • waf:ListRules

  • waf:GetRule

  • waf:UpdateRule

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS WAF Classic > Rules.

  3. Select a rule to view its configuration.

  4. Verify if the rule includes at least one condition.

Using AWS CLI:

  1. List all rules:

    aws waf list-rules

  2. Retrieve details of a specific rule:

    aws waf get-rule --rule-id <rule-id>

  3. Check the Predicates field in the output. Ensure it includes at least one condition.

Implementation Steps:

Using AWS Console:

  1. Navigate to AWS WAF Classic > Rules.

  2. Select the rule to update.

  3. Add one or more conditions, such as IP match condition, size constraint, or cross-site scripting condition.

  4. Save the updated rule configuration.

Using AWS CLI:

  1. Add a condition to the rule:

    aws waf update-rule \
--rule-id <rule-id> \
--updates Action=INSERT,Predicate={Negated=false,Type=<condition-type>,DataId=<condition-id>}

  1. Verify the updated configuration:

    aws waf get-rule --rule-id <rule-id>

Backout Plan

Using AWS Console:

  1. If adding a condition causes issues, sign in to the AWS Management Console.
    Navigate to AWS WAF & Shield, select the Global rule, and go to the Conditions section.

  2. Remove or modify the condition as needed.

  3. Save the changes and verify that the rule is functioning correctly.

Using AWS CLI:

  1. To remove a condition from the rule, run:

    aws waf update-rule --rule-id <RULE_ID> --conditions '[{"Type": "IPMatch", "Data": {"Value": "203.0.113.0/24"}}]'

  2. Verify the updated rule:

    aws waf get-rule --rule-id <RULE_ID>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.