More Info:

WAF Regional WebAcl should not be empty

Risk Level

High

Address

Security

Compliance Standards

CBP,RBI_UCB

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of having empty WAF Regional Rules in AWS CloudWatch using the AWS console, follow these step-by-step instructions:
  1. Login to AWS Console: Go to the AWS Management Console and login with your credentials.
  2. Navigate to AWS WAF Service: In the AWS Management Console, search for “WAF & Shield” in the services search bar and click on the “WAF & Shield” service.
  3. Select the AWS WAF Regional: In the AWS WAF & Shield dashboard, click on the “AWS WAF” tab on the left-hand side.
  4. Choose the Regional Web ACL: Select the Web ACL that you want to remediate by clicking on its name.
  5. Review the Rules: In the Web ACL details page, review the rules that are currently configured. Identify any rules that are empty or not properly configured.
  6. Edit the Rule: Click on the rule that is empty or not properly configured to edit it.
  7. Add or Modify Conditions: Add appropriate conditions or modify the existing conditions for the rule to ensure it is not empty. You can define conditions based on IP addresses, request headers, query strings, etc., depending on your specific security requirements.
  8. Save the Changes: Once you have added or modified the conditions for the rule, save the changes.
  9. Deploy the Web ACL: After making the necessary changes, deploy the Web ACL to ensure that the changes take effect.
  10. Monitor the Web ACL: Regularly monitor the Web ACL to ensure that the rules are properly configured and not empty.
By following these steps, you can remediate the misconfiguration of having empty WAF Regional Rules in AWS CloudWatch using the AWS console.

To remediate the misconfiguration of empty WAF Regional Rules in AWS CloudWatch using AWS CLI, follow these steps:
  1. List the WAF Regional Rules in your AWS account by running the following command in AWS CLI:
aws waf-regional list-web-acls
  1. Identify the Web ACL ID of the WAF Regional Rules that are empty.
  2. Update the empty WAF Regional Rules by adding appropriate rules using the following command: 
aws waf-regional update-web-acl --web-acl-id <WebACLID> --updates file://update-rules.json
Replace <WebACLID> with the actual Web ACL ID of the empty WAF Regional Rules.
  1. Create a JSON file named update-rules.json with the appropriate WAF rules that you want to add. Here is an example of how the JSON file may look like:
[
    {
        "Action": "INSERT",
        "ActivatedRule": {
            "Priority": 1,
            "RuleId": "AWSManagedRulesCommonRuleSet"
        }
    },
    {
        "Action": "INSERT",
        "ActivatedRule": {
            "Priority": 2,
            "RuleId": "AWSManagedRulesKnownBadInputsRuleSet"
        }
    }
]
  1. Run the update command with the JSON file to add the rules to the empty WAF Regional Rules.
  2. Verify that the WAF Regional Rules are no longer empty by listing the Web ACLs again: 
aws waf-regional list-web-acls
By following these steps, you can remediate the misconfiguration of empty WAF Regional Rules in AWS CloudWatch using AWS CLI.
To remediate the misconfiguration of WAF Regional Rules being empty in AWS CloudWatch using Python, you can follow these steps:
  1. Install the Boto3 library for AWS SDK for Python by running the following command: 
    pip install boto3
  2. Use the following Python script to check if the WAF Regional Rules are empty and update them if necessary: 
import boto3

def remediate_empty_waf_rules():
    # Create a WAF client
    waf_client = boto3.client('waf-regional')

    # Get the list of WebACLs
    response = waf_client.list_web_acls()

    for web_acl in response['WebACLs']:
        web_acl_id = web_acl['WebACLId']
        
        # Get the rules for the WebACL
        rules_response = waf_client.get_web_acl(WebACLId=web_acl_id)
        
        # Check if the rules are empty
        if not rules_response['WebACL']['Rules']:
            # Add a default rule to the WebACL
            default_rule = {
                'Priority': 1,
                'RuleId': 'WAFRuleId',  # Add your desired WAF rule ID
                'Action': {
                    'Type': 'BLOCK'
                }
            }
            waf_client.update_web_acl(
                WebACLId=web_acl_id,
                ChangeToken=waf_client.get_change_token()['ChangeToken'],
                Updates=[
                    {
                        'Action': 'INSERT',
                        'ActivatedRule': {
                            'Priority': 1,
                            'RuleId': default_rule['RuleId'],
                            'Action': default_rule['Action']
                        }
                    }
                ]
            )
            print(f"WebACL {web_acl_id} updated with default WAF rule.")
        else:
            print(f"WebACL {web_acl_id} already has WAF rules.")

if __name__ == '__main__':
    remediate_empty_waf_rules()
  1. Replace 'WAFRuleId' with the desired WAF rule ID that you want to add as a default rule.
  2. Run the Python script to check and update the WAF Regional Rules in AWS CloudWatch.
This script will check each WebACL in AWS WAF Regional and add a default WAF rule if the rules are empty. It’s important to customize the default rule according to your specific security requirements before running the script.