Make sure that ALB is protected by a WAF
Ensure that all your public AWS ALB are integrated with the Web Application Firewall (AWS WAF) service to protect against application-layer attacks
Risk Level: Medium
Cloud Entity: Application Load Balancer
CloudGuard Rule ID: D9.AWS.NET.35
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
ApplicationLoadBalancer where dnsName unlike '%internal%' should have webACLId
REMEDIATION
From Portal
- Login to the AWS Management Console and open AWS WAF console https://console.aws.amazon.com/wafv2/homev2
- Create the Web ACLs or select an existing one
- Select the Associated AWS resources tab
- Click on Add AWS resources
- Under Resource Type, Select the resource type and then select the resource you want to associate with this web ACL.
Note this rule requires the following permission: 'waf-regional:ListResourcesForWebACL'
From TF
Use the application load balancer as Load Balancer type:
resource "aws_alb" "test" {
internal = false
+ load_balancer_type = "application"
security_groups = [aws_security_group.lb_sg.id]
subnets = [for subnet in aws_subnet.public : subnet.id]
}
enable_deletion_protection = true
access_logs {
bucket = aws_s3_bucket.lb_logs.bucket
prefix = "test-lb"
enabled = true
}
From Command Line
To create WAF ACL , run:
aws waf create-web-acl --name NAME --metric-name METRIC-NAME --default-action Type=BLOCK --change-token TOKEN
References
- https://docs.aws.amazon.com/waf/latest/developerguide/getting-started.html
- https://docs.aws.amazon.com/config/latest/developerguide/alb-waf-enabled.html
- https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/
- https://docs.aws.amazon.com/cli/latest/reference/waf/create-web-acl.html
Application Load Balancer
An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply, and then selects a target from the target group for the rule action. You can configure listener rules to route requests to different target groups based on the content of the application traffic. Routing is performed independently for each target group, even when a target is registered with multiple target groups.
Compliance Frameworks
- AWS CIS Controls V 8
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- CloudGuard AWS All Rules Ruleset
Updated about 1 year ago