AWS-ALB-WAF-ACL

Owned by naveen
Last updated: Jan 27, 2022
2 min read

Severity : Medium

Description: This control ensures that AWS WAF is enabled for public facing application load balancer. AWS WAF can be used to monitor requests based on access control list (Web ACL). It can allow requests and count them based on criteria provided, Run CAPTCHA checks against request that matches criteria. WAF uses Web ACL to define groups of rules to test against the incoming requests.

Remediation Steps :

Perform following to enable WAF for ALB:

  1. Login to the AWS Management Console at https://console.aws.amazon.com

Create Web ACL

  1. Navigate to AWS WAF service.

  2. Choose Create web ACL.

  3. Enter Name, Description.

  4. For Resource type, choose the resources type as application load balancer.

  5. For Region, select the region where ALB is deployed. Choose Next.

  6. On Add rules and rule group, to add managed rule group by selecting Add rules,  choose Add managed rule group.

    1. Expand the listing for AWS managed rule groups  for the group.

    2. For the rule group to add, turn on the Add to web ACL toggle in the Action.

    3. Choose Save Rule, Choose Add rules to finish adding managed rules.

  7. On Add rules and rule group, to add own rule group by selecting Add rules,  choose Add my own rules and rule groups.

    1. choose Rule group.

    2. Enter Name.

    3. Choose rule group from the list, and then choose Add rule.

  8. choose Next.

  9. On the Set rule priority page, set processing order for the rules and rule groups in the web ACL and then Choose Next.

  10. On the Configure metrics page, for Amazon CloudWatch metrics, then choose Next.

  11. On the Review and create web ACL page, review settings, then choose Create web ACL.

Associate ALB with the WAF ACL

  1. Select the Web ACL created above.

  2. On the Associated AWS resources tab, choose Add AWS resources.

  3. Select Application Load Balancer (ALB) reported from the list

  4.  After done adding AWS resources, choose Add.

Important:

  • If load balancer cannot get a response from AWS WAF, it returns an HTTP 500 error and does not forward the request. If load balancer should forward requests to targets even if it is unable to contact AWS WAF, enable the AWS WAF fail open attribute.

Reference:

 

Blue Hexagon Proprietary