Profile Applicability:

  • Level 1

Description:

AWS Application Load Balancer (ALB) is a fully managed load balancing service that automatically distributes incoming traffic to targets such as EC2 instances, containers, and IP addresses. AWS WAF (Web Application Firewall) helps protect web applications by filtering malicious traffic. This SOP ensures that an Application Load Balancer (ALB) has a WAF Web ACL (Access Control List) attached. The Web ACL provides additional protection against common web exploits like SQL injection, cross-site scripting (XSS), and DDoS attacks.

Rationale:

  • Security: Associating AWS WAF with the ALB provides additional protection by filtering out malicious requests and protecting against common web application attacks.

  • Compliance: Many security standards require the use of a WAF to safeguard web applications, including PCI-DSS and SOC 2.

  • Risk Mitigation: A WAF protects ALBs from various threats, reducing the risk of data breaches, unauthorized access, and service disruptions.

Impact:

Pros:

  • Improved Security: Helps block malicious traffic before it reaches your applications, protecting them from attacks like SQL injection, XSS, and DDoS.

  • Compliance: Meets regulatory requirements for web application security.

  • Operational Control: Allows customization of the WAF Web ACL to handle different types of malicious requests based on the needs of your application.

Cons:

  • Performance Impact: Enabling WAF may introduce some latency due to additional inspection of requests.

  • Complexity: Configuring and managing WAF Web ACLs requires careful tuning to avoid blocking legitimate traffic.

Default Value:

By default, AWS ALBs do not have a WAF Web ACL attached unless explicitly configured.

Pre-requisite:

  • AWS IAM Permissions:

    • wafv2:ListWebACLs

    • wafv2:AssociateWebACL

    • wafv2:DescribeWebACL

    • elasticloadbalancing:DescribeLoadBalancers

  • AWS CLI installed and configured.

  • Ensure AWS WAF is set up with an existing Web ACL before associating it with the Application Load Balancer.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Elastic Load Balancing under Services.

  3. In the Load Balancers section, select the Application Load Balancer.

  4. Under the Listeners tab, verify whether the WAF Web ACL is attached:

    • If the WAF Web ACL is attached, it will appear under the Web ACL section.

    • If no Web ACL is attached, you'll need to configure one.

  5. Navigate to AWS WAF in the Services menu and verify the Web ACL associated with the ALB.

Using AWS CLI:

  1. To describe the Application Load Balancer, run:

    aws elbv2 describe-load-balancers --query 'LoadBalancers[?Type==`application`].{Name:LoadBalancerName,WebAclArn:WebAclArn}'

  2. If the WebAclArn is returned, it indicates that a WAF Web ACL is associated with the ALB.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Elastic Load Balancing.

  2. In the Load Balancers section, select the Application Load Balancer you want to configure.

  3. In the Listeners tab, click on the Actions button and select Edit WAF Web ACL association.

  4. Select the Web ACL you want to associate with the ALB or create a new one.

  5. Save the changes to associate the WAF Web ACL with the Application Load Balancer.

Using AWS CLI:

  1. To associate a Web ACL with the Application Load Balancer, run the following command:

    aws wafv2 associate-web-acl --resource-arn arn:aws:elasticloadbalancing:<region>:<account-id>:loadbalancer/app/<load-balancer-name> --web-acl-arn arn:aws:wafv2:<region>:<account-id>:webacl/<web-acl-name> --scope REGIONAL

  2. To verify the association, run:

    aws elbv2 describe-load-balancers --query 'LoadBalancers[?Type==`application`].{Name:LoadBalancerName,WebAclArn:WebAclArn}'

Backout Plan:

Using AWS Console:

  1. If attaching the WAF Web ACL causes issues, sign in to the AWS Management Console.

  2. Navigate to Elastic Load Balancing, select the ALB, and go to the Description tab.

  3. Click Edit WebACL and remove the attached Web ACL.

  4. Save the changes and verify that the Web ACL has been removed.

Using AWS CLI:

  1. To detach the WAF Web ACL, run:

    aws wafv2 disassociate-web-acl --web-acl-arn <WEB_ACL_ARN> --resource-arn <LOAD_BALANCER_ARN>

  2. Verify that the WAF Web ACL has been detached:

    aws elbv2 describe-load-balancers --load-balancer-arn <LOAD_BALANCER_ARN>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.