Severity Framework
Snyk CCSS
Rule category
Network / Firewall
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
- Snyk ID SNYK-CC-00749
- credit Snyk Research Team
Description
Enabling AWS WAF on public-facing Application Load Balancers (ALB) mitigates the risk of common web exploits that could affect application availability, compromise security, or consume excessive resources. Without WAF, this resource is more vulnerable to attacks such as SQL injection and cross-site scripting (XSS).
How to fix?
Create an AWS WAF Web ACL and associate the Web ACL with the ALB: Set the resource_arn of waf_association to aws_lb.arn and web_acl_arn to aws_wafv2_web_acl.arn.
Example Configuration
resource "aws_wafv2_web_acl" "example_web_acl" {
name = "example-web-acl"
description = "Example of a managed rule."
scope = "REGIONAL"
default_action {
allow {}
}
rule {
name = "rule-1"
priority = 1
override_action {
count {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
rule_action_override {
action_to_use {
count {}
}
name = "SizeRestrictions_QUERYSTRING"
}
rule_action_override {
action_to_use {
count {}
}
name = "NoUserAgent_HEADER"
}
scope_down_statement {
geo_match_statement {
country_codes = ["US", "NL"]
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
tags = {
Tag1 = "Value1"
Tag2 = "Value2"
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
resource "aws_wafv2_web_acl_association" "example_waf_association" {
resource_arn = aws_lb.valid-alb1.arn
web_acl_arn = aws_wafv2_web_acl.example_web_acl.arn
depends_on = [
aws_lb.valid-alb1,
aws_wafv2_web_acl.example_web_acl,
]
}