Profile Applicability

  • Level 2

Description

A Web Access Control List (WebACL) in AWS WAF Classic is used to define rules that filter and control web traffic to your resources. Ensuring that a WebACL has at least one rule or rule group helps protect your applications from malicious requests, such as SQL injection or cross-site scripting (XSS) attacks.

Rationale

  • Enhanced Security: Protects web applications by filtering malicious traffic.

  • Risk Mitigation: Reduces the risk of vulnerabilities being exploited.

  • Compliance: Aligns with security best practices for web application protection.

Impact

Pros:

  • Provides a layer of security for web applications.

  • Blocks or allows traffic based on defined rules.

  • Improves compliance with security standards.

Cons:

  • Requires proper configuration and maintenance of rules.

  • May introduce complexity if rules are not well-defined.

Default Value

By default, a WebACL may not have any rules or rule groups. Rules must be explicitly added during or after WebACL creation.

Pre-Requisite

IAM Permissions Required:

  • waf:ListWebACLs

  • waf:GetWebACL

  • waf:UpdateWebACL

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS WAF Classic > WebACLs.

  3. Select the WebACL to review its configuration.

  4. Verify if at least one rule or rule group is associated with the WebACL.

Using AWS CLI:

  1. List all WebACLs:

    aws waf list-web-acls

  2. Retrieve the details of a specific WebACL

    aws waf get-web-acl --web-acl-id <web-acl-id>

  3. Check the Rules field in the output. Ensure it contains at least one rule or rule group.

Implementation Steps:

Using AWS Console:

  1. Navigate to AWS WAF Classic > WebACLs.

  2. Select the WebACL to update.

  3. Add a rule or rule group to the WebACL by specifying the desired conditions (e.g., IP match, string match, or regex match).

  4. Save the changes.

Using AWS CLI:

  1. Add a rule to the WebACL:

    aws waf update-web-acl \
--web-acl-id <web-acl-id> \
--updates Action=INSERT,ActivatedRule={Priority=1,RuleId=<rule-id>,Action={Type=BLOCK}}

  1. Verify the updated configuration:

    aws waf get-web-acl --web-acl-id <web-acl-id>

Backout Plan

Using AWS Console:

  1. If adding a rule or rule group causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS WAF & Shield, select the Regional WebACL, and go to the Rules section.

  3. Remove or modify the rule as necessary.

  4. Save the changes and verify that the WebACL is functioning correctly.

Using AWS CLI:

  1. To remove a rule from the Regional WebACL, run:

    aws waf update-web-acl --web-acl-id <WEB_ACL_ID> --remove-rules '[
  {
    "RuleId": "<RULE_ID>"
  }
]'

  1. Verify that the rule has been removed:

    aws waf get-web-acl --web-acl-id <WEB_ACL_ID>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.