More Info:

Identify which all webacl rules are in count mode for each AWS Account

Risk Level

Critical

Address

Security

Compliance Standards

ISO27001, PCIDSS, CISAWS, GDPR

Triage and Remediation

Remediation

Using Console

Here are the step-by-step instructions to remediate the misconfiguration:
  1. Open the AWS Management Console and navigate to AWS WAF & Shield.
  2. In the navigation pane, choose “Web ACLs”.
  3. In the Web ACLs section, choose the WebACL that you need to modify.
  4. In the Rules section, find the rule that is in Count mode.
  5. Click on the pencil icon or ‘Edit’ to modify the rule.
  6. In the Edit rule pane, under the Action setting, select “Block” if you want AWS WAF to block requests that match the conditions in the rule. If you want AWS WAF to allow requests that match the conditions in the rule, choose “Allow”. Don’t choose “Count” as this just increments a counter of the requests that match the conditions in the rule.
  7. Click on ‘Update’ to save the changes.
  8. Repeat the steps for all rules that are in Count mode.
  9. After you have updated all the rules, make sure to review and confirm all changes.
Remember, the changes you make will only apply to the AWS resources (like Amazon CloudFront distributions) that are associated with the selected WebACL.
WebACL rules should not be in count mode because this mode only counts the web requests that match the properties of a rule, but does not block or allow them. Here are the steps to remediate this misconfiguration using AWS CLI:Step 1: Install AWS CLI Firstly, you need to install AWS CLI on your system. You can download it from the official AWS website.Step 2: Configure AWS CLI Once installed, you need to configure AWS CLI with your AWS account details. You can do this by running the following command in your terminal:
aws configure
You’ll be prompted to enter your AWS Access Key ID, Secret Access Key, default region name, and default output format. Enter these details correctly.Step 3: List WebACLs Next, you need to list all the WebACLs in your account. You can use the following command:
aws wafv2 list-web-acls --scope REGIONAL
This will list all the WebACLs in your account.Step 4: Identify WebACLs in Count Mode Go through the list of WebACLs and identify the ones that are in count mode. You can do this by checking the “DefaultAction” field of each WebACL. If it is set to “COUNT”, the WebACL is in count mode.Step 5: Change DefaultAction to Block or Allow Once you’ve identified the WebACLs in count mode, you need to change their DefaultAction to either “BLOCK” or “ALLOW”. You can use the following co the DefaultAction of the WebACL to “ALLOW”. If you want to change it to “BLOCK”, replace Allow= with Block=. mmand:
aws wafv2 update-web-acl --name <name> --scope REGIONAL --id <id> --default-action Allow={} --lock-token lock-token
Replace name with the name of the WebACL, id with the ID of the WebACL, and lock-token with the lock token of the WebACL. This command will change Step 6: Verify the Changes Finally, verify the changes by listing the WebACLs again and checking their DefaultAction. If it is set to “BLOCK” or “ALLOW”, the remediation was successful.Remember to replace all the placeholders with actual values. Also, ensßure that you have the necessary permissions to perform these actions.
The WebACL rules in count mode essentially means that the rule is only counting the matches for a rule without any action. This configuration can be useful for testing, but in a production environment, it’s recommended to change it to block or allow mode.Here’s how to remediate this misconfiguration using AWS SDK for Python (Boto3):
  1. First, install Boto3 if it’s not already installed. You can do this by running the following command in your terminal:
    pip install boto3
    
  2. Import the necessary modules and set up your AWS credentials:
    import boto3
    from botocore.exceptions import NoCredentialsError
    
    ACCESS_KEY = 'YOUR_ACCESS_KEY'
    SECRET_KEY = 'YOUR_SECRET_KEY'
    
  3. Create a session using your credentials:
    session = boto3.Session(
        aws_access_key_id=ACCESS_KEY,
        aws_secret_access_key=SECRET_KEY
    )
    
  4. Now, use the session to create a client for AWS WAF (Web Application Firewall):
    client = session.client('waf')
    
  5. Get the list of WebACLs:
    webacls = client.list_web_acls(Limit=100)
    
  6. Iterate over the WebACLs and check if any rules are in count mode:
    for webacl in webacls['WebACLs']:
        webacl_id = webacl['WebACLId']
        webacl_rules = client.get_web_acl(WebACLId=webacl_id)['WebACL']['Rules']
    
        for rule in webacl_rules:
            if rule['Type'] == 'REGULAR' and rule['Action']['Type'] == 'COUNT':
                print(f"WebACL {webacl_id} has a rule in count mode")
    
  7. To change the rules from count mode to block mode, you need to update the rule:
    for webacl in webacls['WebACLs']:
        webacl_id = webacl['WebACLId']
        webacl_rules = client.get_web_acl(WebACLId=webacl_id)['WebACL']['Rules']
    
        for rule in webacl_rules:
            if rule['Type'] == 'REGULAR' and rule['Action']['Type'] == 'COUNT':
                rule_id = rule['RuleId']
                client.update_rule(Action='BLOCK', RuleId=rule_id)
    
Please note that you need to replace ‘YOUR_ACCESS_KEY’ and ‘YOUR_SECRET_KEY’ with your actual AWS access key and secret key. Also, make sure that the user associated with the keys has the necessary permissions to list and update WebACLs.Remember to handle exceptions and errors appropriately in your production code.