Profile Applicability:

  • Level 1

Description:

AWS WAFv2 (Web Application Firewall) helps protect web applications from common web exploits by allowing you to configure rules for monitoring and filtering traffic. A WebACL (Web Access Control List) is a collection of rules that define the conditions under which AWS WAF applies to incoming requests. This SOP ensures that each AWS WAFv2 WebACL contains at least one rule or rule group, ensuring that the web application is protected from malicious traffic.

Rationale:

  • Security: If no rules are configured in a WebACL, the WAF does not provide any protection, leaving the web application vulnerable to attacks.

  • Best Practices: AWS best practices recommend defining rules and rule groups in WAFv2 to ensure that malicious or undesired traffic is blocked effectively.

  • Compliance: Many compliance frameworks (e.g., PCI-DSS, SOC 2) require active security measures such as WAF rules to protect applications from web exploits.

Impact:

Pros:

  • Improved Security: Ensures that malicious traffic is filtered before reaching the application.

  • Compliance: Helps meet security compliance requirements that mandate WAF configurations.

  • Traffic Management: With proper rules in place, you can better manage traffic to your web applications.

Cons:

  • Operational Overhead: Configuring and managing WAF rules requires ongoing oversight and may add complexity to the network security configuration.

  • False Positives: Poorly defined rules may result in legitimate traffic being blocked, requiring adjustments and fine-tuning.

Default Value:

By default, AWS WAFv2 WebACL does not contain any rules or rule groups upon creation. The user must configure rules and attach them to the WebACL for it to function properly.

Pre-requisite:

  • AWS IAM Permissions:

    • wafv2:DescribeWebACL

    • wafv2:ListWebACLs

    • wafv2:UpdateWebACL

  • AWS CLI installed and configured.

  • AWS WAFv2 WebACL created and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS WAF & Shield under Security, Identity, & Compliance.

  3. In the WAFv2 Console, go to WebACLs.

  4. Select the WebACL to check.

  5. Under the Rules tab, check if at least one rule or rule group is attached to the WebACL. If no rules or rule groups are present, the WebACL is not providing any protection.

  6. If the WebACL does not have any rules or rule groups, follow the Implementation Steps below to create and attach the necessary rules.

Using AWS CLI:

  1. To describe the WAFv2 WebACL and check if it contains any rules, run:

    aws wafv2 describe-web-acl --name <web-acl-name> --scope REGIONAL --query 'WebACL.Rules'

  2. If the output shows an empty list for Rules, the WebACL does not have any rules configured:

    {
      "Rules": []
    }

  1. If there are no rules, you will need to configure and attach rules to the WebACL using the steps below.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to AWS WAF & Shield.

  2. In the WAFv2 Console, go to WebACLs and select the WebACL you want to modify.

  3. Under the Rules tab, click Add Rule or Add Rule Group.

  4. Create a new rule or select an existing rule group that fits your security needs.

  5. Attach the rule or rule group to the WebACL.

  6. Save the changes and ensure that the WebACL is now protecting the application.

Using AWS CLI:

  1. To create a WAFv2 rule and attach it to the WebACL, use the following command:

    aws wafv2 update-web-acl --name <web-acl-name> --scope REGIONAL --id <web-acl-id> \
      --default-action Allow={} \
      --rules "Rules=[{Action={Block={}},Name=<rule-name>,Priority=1,Statement={ByteMatchStatement={SearchString=<pattern>,FieldToMatch={Body={}},TextTransformation=NONE}},VisibilityConfig={SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=<metric-name>}}]" \
      --visibility-config "SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=<metric-name>"

  1. To verify that the rule has been added, run:

    aws wafv2 describe-web-acl --name <web-acl-name> --scope REGIONAL --query 'WebACL.Rules'

Backout Plan:

Using AWS Console:

  1. If changes to WebACL rules cause issues, navigate back to the WebACL configuration in the AWS WAF Console.

  2. Remove the rule or rule group causing issues.

  3. Save the changes.

Using AWS CLI:

  1. To remove a rule or rule group from the WebACL:

    aws wafv2 update-web-acl --name <WEBACL_NAME> --scope <REGIONAL_OR_CLOUDFRONT> --id <WEBACL_ID> --rules file://empty-rules.json --region <REGION>

  2. Verify that the rule or rule group has been removed by describing the WebACL again:

    aws wafv2 get-web-acl --name <WEBACL_NAME> --scope <REGIONAL_OR_CLOUDFRONT> --id <WEBACL_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.