Homepage

Public ALB Must Be Protected by AWS WAF Affecting WAF service in AWS

Severity

0.0
high
0
10
Severity Framework
Snyk CCSS
Rule category
Network/ Firewall

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
  • Snyk IDSNYK-CC-00749
  • creditSnyk Research Team
Report a new misconfiguration Found a mistake?

Description

Enabling AWS WAF on public-facing Application Load Balancers (ALB) mitigates the risk of common web exploits that could affect application availability, compromise security, or consume excessive resources. Without WAF, this resource is more vulnerable to attacks such as SQL injection and cross-site scripting (XSS).

How to fix?

Create an AWS WAF Web ACL and associate the Web ACL with the ALB: Set the resource_arn of waf_association to aws_lb.arn and web_acl_arn to aws_wafv2_web_acl.arn.

Example Configuration


resource "aws_wafv2_web_acl" "example_web_acl" {
  name        = "example-web-acl"
  description = "Example of a managed rule."
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "rule-1"
    priority = 1

    override_action {
      count {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"

        rule_action_override {
          action_to_use {
            count {}
          }

          name = "SizeRestrictions_QUERYSTRING"
        }

        rule_action_override {
          action_to_use {
            count {}
          }

          name = "NoUserAgent_HEADER"
        }

        scope_down_statement {
          geo_match_statement {
            country_codes = ["US", "NL"]
          }
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = false
      metric_name                = "friendly-rule-metric-name"
      sampled_requests_enabled   = false
    }
  }

  tags = {
    Tag1 = "Value1"
    Tag2 = "Value2"
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "friendly-metric-name"
    sampled_requests_enabled   = false
  }
}

resource "aws_wafv2_web_acl_association" "example_waf_association" {
  resource_arn = aws_lb.valid-alb1.arn
  web_acl_arn  = aws_wafv2_web_acl.example_web_acl.arn

  depends_on = [
    aws_lb.valid-alb1,
    aws_wafv2_web_acl.example_web_acl,
  ]
}