Enable Amazon WAF Integration for Application Load Balancers

Risk Level: High (not acceptable risk)

Ensure that Amazon Web Application Firewall (WAF) service is integrated with your Application Load Balancers (ALBs) in order to protect the web applications that are running behind the load balancers from common web exploits such as SQL injection attacks, cross-site scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks that could affect application availability and performance, compromise security, or consume excessive resources.

Security

Amazon WAF is a web application firewall service that provides inline inspection of inbound traffic at the application layer in order to detect and filter malicious web requests and scale to handle bursts in traffic. The inbound traffic is inspected against Web Access Control List (Web ACL) rules that you create manually through AWS Management Console or programmatically using AWS API. To protect the web applications behind your Amazon Application Load Balancers from common application-layer exploits, enable the Amazon WAF - Application Load Balancer integration by creating and attaching Web ACLs to load balancers. For example, you can assign Web ACLs to your Application Load Balancers to block requests based on IP address or range of IP addresses originating from a specific country or region, or block requests containing malicious SQL code or malicious scripts. You can also implement Web ACLs to protect your applications from unwanted or unauthorized access (e.g. block bad bots, content scrapers, and attacks from specific user-agents).

Audit

To determine if your Application Load Balancers (ALBs) are associated with WAF Web ACLs, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list the Application Load Balancers available in the current AWS region.

05 Select the Application Load Balancer (ALB) that you want to examine.

06 Select the Integrated services tab from the console bottom panel to view the integration status of the selected load balancer with Amazon WAF.

07 Check the AWS WAF integration status. If the integration status is set to This load balancer is not WAF enabled. and there is no Amazon WAF ACL associated with the load balancer, the selected Application Load Balancer (ALB) is not integrated with the Amazon WAF service for protection against common web exploits.

08 Repeat steps no. 5 – 7 for each Application Load Balancer deployed within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of the Application Load Balancers available in the selected AWS region:

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn'

02 The command output should return an array with the requested ALB ARN(s):

[
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-project5-load-balancer/abcdabcdabcdabcd",
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-load-balancer/abcd1234abcd1234"
]

03 Run get-web-acl-for-resource command (OSX/Linux/UNIX) using the ARN of the Application Load Balancer (ALB) that you want to examine as the identifier parameter and custom query filters to describe the Amazon Resource Name (ARN) of the Amazon WAF Web ACL associated with the selected load balancer:

aws wafv2 get-web-acl-for-resource
  --region us-east-1
  --resource-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-project5-load-balancer/abcdabcdabcdabcd
  --query '{WebACLArn: WebACL.ARN}'

04 The command output should return the requested Amazon Resource Name (ARN):

{
	"WebACLArn": null
}

If the get-web-acl-for-resource command output returns null for the "WebACLArn" attribute, as shown in the output example above, there is no Amazon WAF ACL associated with the load balancer, therefore the selected Application Load Balancer (ALB) is not integrated with the Amazon WAF service for protection against common web exploits.

05 Repeat steps no. 3 and 4 for each Application Load Balancer deployed in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable the Amazon WAF integration for your Application Load Balancers (ALBs) in order to protect against common application-layer exploits, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"WAFWebACL": {
			"Type": "AWS::WAFv2::WebACL",
			"Properties": {
				"Name": "cc-load-balancer-web-acl",
				"Scope": "REGIONAL",
				"DefaultAction": {
					"Allow": {}
				},
				"Rules": [
					{
						"Name": "requestsFromUSStates",
						"Priority": 1,
						"Statement": {
							"RateBasedStatement": {
								"Limit": 500,
								"AggregateKeyType": "CUSTOM_KEYS",
								"ScopeDownStatement": {
									"GeoMatchStatement": {
										"CountryCodes": [
											"US"
										]
									}
								},
								"CustomKeys": [
									{
										"LabelNamespace": {
											"Namespace": "awswaf:clientip:geo:region:"
										}
									}
								]
							}
						},
						"Action": {
							"Block": {}
						},
						"VisibilityConfig": {
							"SampledRequestsEnabled": true,
							"CloudWatchMetricsEnabled": true,
							"MetricName": "requestsFromUSStates"
						}
					}
				]
			}
		},
		"ApplicationLoadBalancer": {
			"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
			"Properties": {
				"Name": "cc-app-load-balancer",
				"Type": "application",
				"Scheme": "internet-facing",
				"IpAddressType": "ipv4",
				"Subnets": [
					"subnet-01234abcd1234abcd",
					"subnet-0abcd1234abcd1234"
				],
				"SecurityGroups": [
					"sg-0abcd1234abcd1234",
					"sg-01234abcd1234abcd"
				]
			}
		},
		"WAFWebACLAssociation": {
			"Type": "AWS::WAFv2::WebACLAssociation",
			"Properties": {
				"ResourceArn": {
					"Fn::GetAtt": [
						"ApplicationLoadBalancer",
						"Arn"
					]
				},
				"WebACLArn": {
					"Fn::GetAtt": [
						"WAFWebACL",
						"Arn"
					]
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	WAFWebACL:
		Type: AWS::WAFv2::WebACL
		Properties:
		Name: cc-load-balancer-web-acl
		Scope: REGIONAL
		DefaultAction:
			Allow: {}
		Rules:
			- Name: requestsFromUSStates
			Priority: 1
			Statement:
				RateBasedStatement:
				Limit: 500
				AggregateKeyType: CUSTOM_KEYS
				ScopeDownStatement:
					GeoMatchStatement:
					CountryCodes:
					- US
				CustomKeys:
				- LabelNamespace:
					Namespace: 'awswaf:clientip:geo:region:'
			Action:
				Block: {}
			VisibilityConfig:
				SampledRequestsEnabled: true
				CloudWatchMetricsEnabled: true
				MetricName: requestsFromUSStates
	ApplicationLoadBalancer:
		Type: AWS::ElasticLoadBalancingV2::LoadBalancer
		Properties:
		Name: cc-app-load-balancer
		Type: application
		Scheme: internet-facing
		IpAddressType: ipv4
		Subnets:
			- subnet-01234abcd1234abcd
			- subnet-0abcd1234abcd1234
		SecurityGroups:
			- sg-0abcd1234abcd1234
			- sg-01234abcd1234abcd
	WAFWebACLAssociation:
		Type: AWS::WAFv2::WebACLAssociation
		Properties:
		ResourceArn: !GetAtt 'ApplicationLoadBalancer.Arn'
		WebACLArn: !GetAtt 'WAFWebACL.Arn'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
		source  = "hashicorp/aws"
		version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_lb" "application-load-balancer" {
	name               = "cc-app-load-balancer"
	load_balancer_type = "application"
	internal           = false
	ip_address_type    = "ipv4"
	subnets            = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
	security_groups    = ["sg-0abcd1234abcd1234","sg-01234abcd1234abcd"]
}

resource "aws_wafv2_web_acl" "waf-web-acl" {
	name  = "cc-load-balancer-web-acl"
	scope = "REGIONAL"
	default_action {
		allow {}
	}
	rule {
		name     = "cc-aws-managed-rule"
		priority = 1
		override_action {
			count {}
		}
		statement {
			managed_rule_group_statement {
				name        = "AWSManagedRulesCommonRuleSet"
				vendor_name = "AWS"
				rule_action_override {
					action_to_use {
						count {}
					}
					name = "SizeRestrictions_QUERYSTRING"
				}
				rule_action_override {
					action_to_use {
						count {}
					}
					name = "NoUserAgent_HEADER"
				}
				scope_down_statement {
					geo_match_statement {
						country_codes = ["US"]
					}
				}
			}
		}
		token_domains = ["domain.com"]
		visibility_config {
			cloudwatch_metrics_enabled = false
			sampled_requests_enabled   = false
			metric_name                = "cc-aws-managed-rule"
		}
	}
}

resource "aws_wafv2_web_acl_association" "waf-web-acl-association" {
	resource_arn = aws_lb.application-load-balancer.arn
	web_acl_arn  = aws_wafv2_web_acl.waf-web-acl.arn
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list the Application Load Balancers available in the current AWS region.

05 Select the Application Load Balancer (ALB) that you want to examine.

06 Select the Integrated services tab from the console bottom panel to access the Amazon WAF integration settings available for the selected load balancer.

07 Choose Create Web ACL under AWS WAF and follow the instructions outlined for this conformity rule to create your own Amazon WAF Web Access Control List (Web ACL) and associate it with the selected Application Load Balancer for protection against common web exploits. Once the new Web ACL is associated with your load balancer, the AWS WAF integration status should change to This load balancer is WAF enabled.

08 Repeat steps no. 5 – 7 for each Application Load Balancer that you want to reconfigure, available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 To enable the Amazon WAF integration for your Application Load Balancer (ALB), you have to associate a Web ACL with your load balancer. To create your own Amazon WAF Web Access Control List (Web ACL), follow the instructions outlined for this conformity rule.

02 Run associate-web-acl command (OSX/Linux/UNIX) to associate your new Amazon WAF Web ACL (identified by the--web-acl-arn parameter value) with the selected Application Load Balancer (identified by the --resource-arn value) for protection against common web exploits (the associate-web-acl command request does not produce an output):

aws wafv2 associate-web-acl
  --region us-east-1
  --web-acl-arn arn:aws:wafv2:us-east-1:123456789012:regional/webacl/cc-load-balancer-web-acl/abcdabcd-1234-abcd-1234-abcd1234abcd
  --resource-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-project5-load-balancer/abcdabcdabcdabcd

03 Run get-web-acl-for-resource command (OSX/Linux/UNIX) to describe the ARN of the Web ACL associated with your Application Load Balancer at the previous step, in order to confirm the integration of the selected load balancer with Amazon WAF:

aws wafv2 get-web-acl-for-resource
  --region us-east-1
  --resource-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-project5-load-balancer/abcdabcdabcdabcd
  --query '{WebACLArn: WebACL.ARN}'

04 If successful, the command output should return the ARN of the associated Web ACL:

{
	"WebACLArn": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/cc-load-balancer-web-acl/abcdabcd-1234-abcd-1234-abcd1234abcd"
}

05 Repeat steps no. 1 – 4 for each Application Load Balancer that you want to reconfigure, available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Documentation
Elastic Load Balancing features
Application Load Balancers
Associating or disassociating a web ACL with an AWS resource

AWS Command Line Interface (CLI) Documentation
describe-load-balancers
get-web-acl-for-resource
associate-web-acl

Publication date Nov 27, 2023

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related ELBv2 rules