Security Center default policy setting 'Monitor Web Application Firewall' should be enabled Affecting Security Center service in Azure
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00669
- creditSnyk Research Team
Description
Security Center default policy setting 'Monitor Web Application Firewall' should be enabled. When this setting is enabled, it recommends that a web application firewall is provisioned on virtual machines when instance-level public IP is used and the inbound security rules for the associated network security group are configured to allow access to port 80/443, or when load-balanced IP is used and the associated load balancing and inbound network address translation rules are configured to allow access to port 80/443.
How to fix?
Set policyDefinitionId to /providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c, and set enforcementMode to Default or remove the attribute.
Example Configuration
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "endpoint_669_allow",
"properties": {
"displayName": "Azure Web Application Firewall should be enabled for Azure Front Door entry-points",
"description": "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.",
"enforcementMode": "Default",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c"
}
}
]
}
Set the policy_definition_id attribute to /providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c, and set enforce to true or remove the attribute.
Example Configuration
resource "azurerm_subscription_policy_assignment" "allowed1" {
name = "allowed1"
policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c"
subscription_id = data.azurerm_subscription.current.id
display_name = "Azure Web Application Firewall should be enabled for Azure Front Door entry-points"
enforce = true
description = "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules."
}