More Info:

Default web ACL action for requests that dont match any rules should be in Allow Mode

Risk Level

Critical

Address

Security

Compliance Standards

ISO27001, PCIDSS, CISAWS, GDPR

Triage and Remediation

Remediation

Using Console

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/.
  2. In the navigation pane, choose “WebACLs”.
  3. Choose the WebACL that you want to update.
  4. In the WebACL, you will see an overview of the current configuration. Look for the “Default WebACL Action” setting.
  5. If the “Default WebACL Action” is set to “Block”, you will need to change it to “Allow”.
  6. Click on the “Edit” button next to the “Default WebACL Action”.
  7. In the drop-down menu, select “Allow” and click on “Update”.
  8. After updating, AWS WAF will allow requests that don’t match any of the rules in the WebACL.
  9. Make sure to review the rules in your WebACL to ensure that they are configured correctly to block or count the requests that you want AWS WAF to take action on.
  10. Click “Save” to apply the changes.
Now, the default action for the WebACL is set to “Allow”. This means that if a request doesn’t match any of the rules in the ACL, AWS WAF will allow the request.
AWS WAF (Web Application Firewall) protects your web applications from common web exploits. In AWS WAF, a WebACL is a collection of rules that you can use to regulate the traffic to your web applications. The default action for a WebACL determines what AWS WAF does when a request doesn’t match any of the rules in the WebACL.If the default action is set to “ALLOW” without any rules, it means that all incoming traffic will be allowed, which could potentially expose your application to malicious traffic.Here are the steps to remediate this misconfiguration:
  1. First, you need to identify the WebACL that has the default action set to “ALLOW” without any rules. You can do this using the AWS CLI command:
aws wafv2 list-web-acls --scope REGIONAL
  1. The output will give you a list of WebACLs. Identify the one you want to modify and note its ID and ARN.
  2. Once you have the WebACL ID, you can check its rules and default action by using the following command: 
aws wafv2 get-web-acl --scope REGIONAL --id <WebACL ID> --name <WebACL Name> --region <Region>
Replace <WebACL ID>, <WebACL Name>, and <Region> with the actual values.
  1. If the default action is “ALLOW” and there are no rules, you should add a rule to block or count the requests that match certain conditions. Here is an example of how to add a rule:
aws wafv2 update-web-acl --scope REGIONAL --id <WebACL ID> --name <WebACL Name> --default-action Block={} --rules '[{ "Name": "Rule1", "Priority": 1, "Action": { "Block": {} }, "Statement": { "IPSetReferenceStatement": { "ARN": "<IPSet ARN>" } }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "Rule1" } }]' --region <Region>
Replace <WebACL ID>, <WebACL Name>, <IPSet ARN>, and <Region> with the actual values. This command creates a rule that blocks requests from IP addresses defined in the specified IP set.
  1. After adding the rule, verify the changes by retrieving the WebACL information again:
aws wafv2 get-web-acl --scope REGIONAL --id <WebACL ID> --name <WebACL Name> --region <Region>
This should now show the added rule and the default action should still be “ALLOW”. However, because there’s a rule that blocks certain requests, not all traffic will be allowed by default.Remember to replace <WebACL ID>, <WebACL Name>, and <Region> with the actual values.Please note that you need to have the necessary permissions to perform these actions. Also, the AWS CLI commands should be run from a machine where AWS CLI is installed and configured with your AWS account.
To remediate this issue, you need to change the default action for your AWS WAF (Web Application Firewall) WebACL (Access Control List) to “ALLOW”. This means that if a request doesn’t match any of the rules in the WebACL, the request will be allowed.Here’s a step-by-step guide on how to remediate this issue using Python and the Boto3 library, which allows you to directly interact with AWS services:
  1. Install Boto3: First, you need to install Boto3 if you haven’t done so already. You can do this by running pip install boto3 in your command line.
  2. Import Boto3: In your Python script, import the Boto3 library by adding import boto3.
  3. Create a WAF Client: Next, create a WAF client. This allows you to interact with AWS WAF. Here’s an example: 
waf = boto3.client('waf')
  1. Get WebACL: You need to get the WebACL that you want to update. You can do this using the get_web_acl method and passing the WebACL ID. Here’s an example:
response = waf.get_web_acl(
    WebACLId='example1-1a1a-1a1a-1a1a-1234567890ab'
)
  1. Update Default Action: Now you can update the default action for the WebACL to “ALLOW”. You can do this using the update_web_acl method. Here’s an example:
response = waf.update_web_acl(
    WebACLId='example1-1a1a-1a1a-1a1a-1234567890ab',
    ChangeToken='abcd12f2-46da-4fdb-b8d5-fbd4c466928f',
    DefaultAction={
        'Type': 'ALLOW'
    }
)
The ChangeToken parameter is a value that you get from a call to get_change_token, and you use it to ensure that your change request is submitted without any intervening updates.
  1. Error Handling: Make sure to add appropriate error handling to your script. For example, you might want to catch exceptions if the WebACL doesn’t exist or if there’s an issue with the provided ChangeToken.
Remember to replace the ‘WebACLId’ and ‘ChangeToken’ with your actual WebACL ID and ChangeToken. After running this script, the default action for your WebACL should now be “ALLOW”.