Triage and Remediation
Remediation
Using Console
Using Console
- Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/.
- In the navigation pane, choose “WebACLs”.
- Choose the WebACL that you want to update.
- In the WebACL, you will see an overview of the current configuration. Look for the “Default WebACL Action” setting.
- If the “Default WebACL Action” is set to “Block”, you will need to change it to “Allow”.
- Click on the “Edit” button next to the “Default WebACL Action”.
- In the drop-down menu, select “Allow” and click on “Update”.
- After updating, AWS WAF will allow requests that don’t match any of the rules in the WebACL.
- Make sure to review the rules in your WebACL to ensure that they are configured correctly to block or count the requests that you want AWS WAF to take action on.
- Click “Save” to apply the changes.
Using CLI
Using CLI
AWS WAF (Web Application Firewall) protects your web applications from common web exploits. In AWS WAF, a WebACL is a collection of rules that you can use to regulate the traffic to your web applications. The default action for a WebACL determines what AWS WAF does when a request doesn’t match any of the rules in the WebACL.If the default action is set to “ALLOW” without any rules, it means that all incoming traffic will be allowed, which could potentially expose your application to malicious traffic.Here are the steps to remediate this misconfiguration:Replace Replace This should now show the added rule and the default action should still be “ALLOW”. However, because there’s a rule that blocks certain requests, not all traffic will be allowed by default.Remember to replace
- First, you need to identify the WebACL that has the default action set to “ALLOW” without any rules. You can do this using the AWS CLI command:
- The output will give you a list of WebACLs. Identify the one you want to modify and note its ID and ARN.
- Once you have the WebACL ID, you can check its rules and default action by using the following command:
<WebACL ID>, <WebACL Name>, and <Region> with the actual values.- If the default action is “ALLOW” and there are no rules, you should add a rule to block or count the requests that match certain conditions. Here is an example of how to add a rule:
<WebACL ID>, <WebACL Name>, <IPSet ARN>, and <Region> with the actual values. This command creates a rule that blocks requests from IP addresses defined in the specified IP set.- After adding the rule, verify the changes by retrieving the WebACL information again:
<WebACL ID>, <WebACL Name>, and <Region> with the actual values.Please note that you need to have the necessary permissions to perform these actions. Also, the AWS CLI commands should be run from a machine where AWS CLI is installed and configured with your AWS account.Using Python
Using Python
To remediate this issue, you need to change the default action for your AWS WAF (Web Application Firewall) WebACL (Access Control List) to “ALLOW”. This means that if a request doesn’t match any of the rules in the WebACL, the request will be allowed.Here’s a step-by-step guide on how to remediate this issue using Python and the Boto3 library, which allows you to directly interact with AWS services:The
-
Install Boto3: First, you need to install Boto3 if you haven’t done so already. You can do this by running
pip install boto3in your command line. -
Import Boto3: In your Python script, import the Boto3 library by adding
import boto3. - Create a WAF Client: Next, create a WAF client. This allows you to interact with AWS WAF. Here’s an example:
- Get WebACL: You need to get the WebACL that you want to update. You can do this using the
get_web_aclmethod and passing the WebACL ID. Here’s an example:
- Update Default Action: Now you can update the default action for the WebACL to “ALLOW”. You can do this using the
update_web_aclmethod. Here’s an example:
ChangeToken parameter is a value that you get from a call to get_change_token, and you use it to ensure that your change request is submitted without any intervening updates.- Error Handling: Make sure to add appropriate error handling to your script. For example, you might want to catch exceptions if the WebACL doesn’t exist or if there’s an issue with the provided ChangeToken.