WAF Regional Web ACL Should Not Be Empty

Using Console

Using CLI

To remediate the misconfiguration of empty WAF Regional Rules in AWS CloudWatch using AWS CLI, follow these steps:

List the WAF Regional Rules in your AWS account by running the following command in AWS CLI:

aws waf-regional list-web-acls

Identify the Web ACL ID of the WAF Regional Rules that are empty.
Update the empty WAF Regional Rules by adding appropriate rules using the following command:

aws waf-regional update-web-acl --web-acl-id <WebACLID> --updates file://update-rules.json

Replace <WebACLID> with the actual Web ACL ID of the empty WAF Regional Rules.

Create a JSON file named update-rules.json with the appropriate WAF rules that you want to add. Here is an example of how the JSON file may look like:

[
    {
        "Action": "INSERT",
        "ActivatedRule": {
            "Priority": 1,
            "RuleId": "AWSManagedRulesCommonRuleSet"
        }
    },
    {
        "Action": "INSERT",
        "ActivatedRule": {
            "Priority": 2,
            "RuleId": "AWSManagedRulesKnownBadInputsRuleSet"
        }
    }
]

Run the update command with the JSON file to add the rules to the empty WAF Regional Rules.
Verify that the WAF Regional Rules are no longer empty by listing the Web ACLs again:

aws waf-regional list-web-acls

By following these steps, you can remediate the misconfiguration of empty WAF Regional Rules in AWS CloudWatch using AWS CLI.

Using Python

To remediate the misconfiguration of WAF Regional Rules being empty in AWS CloudWatch using Python, you can follow these steps:

Install the Boto3 library for AWS SDK for Python by running the following command:
```
pip install boto3
```
Use the following Python script to check if the WAF Regional Rules are empty and update them if necessary:

import boto3

def remediate_empty_waf_rules():
    # Create a WAF client
    waf_client = boto3.client('waf-regional')

    # Get the list of WebACLs
    response = waf_client.list_web_acls()

    for web_acl in response['WebACLs']:
        web_acl_id = web_acl['WebACLId']
        
        # Get the rules for the WebACL
        rules_response = waf_client.get_web_acl(WebACLId=web_acl_id)
        
        # Check if the rules are empty
        if not rules_response['WebACL']['Rules']:
            # Add a default rule to the WebACL
            default_rule = {
                'Priority': 1,
                'RuleId': 'WAFRuleId',  # Add your desired WAF rule ID
                'Action': {
                    'Type': 'BLOCK'
                }
            }
            waf_client.update_web_acl(
                WebACLId=web_acl_id,
                ChangeToken=waf_client.get_change_token()['ChangeToken'],
                Updates=[
                    {
                        'Action': 'INSERT',
                        'ActivatedRule': {
                            'Priority': 1,
                            'RuleId': default_rule['RuleId'],
                            'Action': default_rule['Action']
                        }
                    }
                ]
            )
            print(f"WebACL {web_acl_id} updated with default WAF rule.")
        else:
            print(f"WebACL {web_acl_id} already has WAF rules.")

if __name__ == '__main__':
    remediate_empty_waf_rules()

Replace 'WAFRuleId' with the desired WAF rule ID that you want to add as a default rule.
Run the Python script to check and update the WAF Regional Rules in AWS CloudWatch.

This script will check each WebACL in AWS WAF Regional and add a default WAF rule if the rules are empty. It’s important to customize the default rule according to your specific security requirements before running the script.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

WAF Regional Web ACL Should Not Be Empty

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation