AWS WAFv2 In Use

Risk Level: Medium (should be achieved)

Rule ID: WAF-002

To improve the security of your web applications in the AWS cloud, ensure that the Web Application Firewall version 2 (WAFv2) service is in use. WAFv2 protects your applications from common security exploits that could impact their availability, compromise their security, or consume excessive resources through attacks like resource starvation. As a web application firewall service, AWS WAFv2 enables you to monitor all HTTP(S) requests forwarded to AWS resources, such as Amazon CloudFront distributions, Amazon API Gateway REST APIs, Application Load Balancers, AWS AppSync GraphQL APIs, AWS Amplify applications, and AWS Verified Access instances. To enable WAFv2 protection, you must first create web Access Control Lists (ACLs). These ACLs define rules that reference one or more conditions and specify the actions to take when each rule is met. Once created, these WAF ACLs can be attached to the supported cloud resources in your AWS account.

Security

Using the AWS WAFv2 service can significantly enhance the security and availability of websites and web applications in your AWS cloud environment. The main benefits of using AWS WAFv2 include:

Robust protection against common web attacks: WAFv2 safeguards your web applications from threats like SQL injection (SQLi), Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and HTTP Flood (DDoS) attacks. It does this by filtering incoming traffic based on the custom firewall rules you create.
Improved web traffic visibility: the service provides real-time insights into your web traffic. This data can be used to create custom rules and set up alerts within AWS CloudWatch, giving you better control and awareness of your application's security posture.
Ease of deployment and maintenance: WAFv2 is easy to deploy without the need for additional software. It also offers a full-featured API that you can use to automate the creation, deployment, and maintenance of your web security rules, streamlining your operations.
Seamless integration with the development process: WAFv2 allows you to define application-specific rules, which helps to increase security as you develop and update your web applications.
Cost-effectiveness: You only pay for what you use, as pricing is based on the number of rules you create and the number of requests your applications receive. There are no upfront commitments or minimum fees.

Audit

To determine if AWS WAFv2 is used as web application firewall service within your AWS cloud account, perform the following operations:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to WAF & Shield console available at https://console.aws.amazon.com/wafv2/.
In the left navigation panel, under AWS WAF, choose Protection packs (web ACLs).
In the Protection packs (web ACLs) section, search for protection packs. Protection packs are the new location for web ACLs. You can use protection packs (web ACLs) to combine rules and rule sets that protect your infrastructure and applications from threats. If there are no protection packs (web ACLs) listed in this section, instead the following message is displayed: No resources, the AWS WAFv2 service is not currently used within the selected AWS region.
Change the AWS cloud region from the navigation bar to repeat the Audit process for other regions.

Using AWS CLI

Run wafv2 list-web-acls command (OSX/Linux/UNIX) to list the Amazon Resource Name (ARN) of each Web ACL created within your AWS cloud account. Use the --scope command parameter to list the active Web ACLs based on the type of the associated resource (i.e., CLOUDFRONT for Amazon CloudFront distributions and REGIONAL for regional resources such as Application Load Balancers, API Gateway APIs, and AppSync GraphQL APIs). Replace REGIONAL with CLOUDFRONT for the --scope parameter and repeat this command to list the Web ACL created for CloudFront distributions:
```
aws wafv2 list-web-acls
	--scope REGIONAL
	--query 'WebACLs[*].ARN'
```
The command output should return the requested Amazon Resource Names (ARNs):
```
[]
```
If the wafv2 list-web-acls command output returns an empty array, i.e., [], for both scopes (REGIONAL and CLOUDFRONT), there are no web ACLs deployed within your AWS cloud account. As a result, the AWS WAFv2 service is not enabled to protect your AWS-powered web applications from common web-based exploits.

Remediation / Resolution

To use AWS WAFv2 as a web application firewall, you must create one or more protection packs (web ACLs). Each ACL contains rules and actions that are performed when a rule is satisfied. After defining the necessary rules and actions, you can assign the new web ACL to an AWS cloud resource. To deploy your first AWS WAFv2 protection pack (web ACL), perform the following operations:

As an example, this KB guide demonstrates how AWS WAFv2 can be configured to protect a web application served by a global Amazon CloudFront distribution. The new web ACL blocks exploits from a range of malicious IP addresses, including those operated by spammers, botnets, and malware distributors.

Using AWS Console

Sign in to the AWS Management Console.
Navigate to WAF & Shield console available at https://console.aws.amazon.com/wafv2/.
In the left navigation panel, under AWS WAF, choose Protection packs (web ACLs).
In the Protection packs (web ACLs) section, choose Create protection pack (web ACL), and perform the following actions to create your new WAFv2 web ACL:
1. For Tell us about your app, use the App category dropdown list to select the category or categories that best describe your application's functionality, and select Web for the App focus menu.
2. For Select resources to protect, choose Add resources, and select Add CloudFront or Amplify resources. Under Resources, select the Amazon CloudFront distribution(s) that you want to protect and choose Add.
3. AWS WAFv2 offers various protection packages of WAF rules based on security best practices. For Choose initial protections, choose the rules package that is best for you. Each protection pack includes rules configured with the following behaviors: Preview (Count) Mode, which allows you to monitor potential threats without blocking traffic and Block mode, which actively prevents malicious requests from reaching your application. The protection packages are configurable after creating your web ACL, where you can modify individual rules, adjust behaviors, and fine-tune settings at any time to match your specific security requirements. You can also choose individual rules instead of packages by selecting Build your own pack from all of the protections AWS WAF offers option and choosing one or more managed or custom rules.
4. For Name and describe, provide a unique name and a short description for your new protection pack (web ACL).
5. (Optional) For Customize protection pack (web ACL) - optional, you can customize the configurations of the selected rules to your needs.
6. (Optional) For Logging destination, choose the rule logging destination type and storage resource.
7. Choose Create protection pack (web ACL) to deploy your new AWS WAFv2 protection pack (web ACL). This will keep your web application secure from the most common web threats and security vulnerabilities using AWS WAFv2. Blocked requests are stopped before they reach your web servers.

Using AWS CLI

Define the AWS WAFv2 rule for the web ACL. An AWS WAFv2 rule is a configurable condition that inspects incoming web requests and defines an action to take (allow, block, or count) if the request meets that condition. Save the rule definition to a JSON file named wafv2-custom-rule.json. As an example, the following rule allows country-specific web traffic to protect applications from attacks (geo-based rule):
```
[
	{
		"Name":"cc-geo-based-access-rule",
		"Priority":0,
		"Statement": {
			"GeoMatchStatement": {
				"CountryCodes": [
					"AU",
					"US"
				]
			}
		},
		"Action":{
			"Allow":{

			}
		},
		"VisibilityConfig":{
			"SampledRequestsEnabled":true,
			"CloudWatchMetricsEnabled":true,
			"MetricName":"cc-geo-based-rule-metric"
		}
	}
]
```

Run wafv2 create-web-acl command (OSX/Linux/UNIX) to create the AWS WAFv2 web ACL that will be attached later to the Cloudfront distribution used as CDN solution for your web application. The web ACL will keep your web application secure from the most common web threats and security vulnerabilities:

aws wafv2 create-web-acl
	--name cc-cloudfront-web-acl
	--description "Allow country-specific web traffic to protect application from attacks"
	--scope CLOUDFRONT
	--region=us-east-1
	--default-action Allow={}
	--visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName="cc-geo-based-rule-metric"
	--rules file://wafv2-custom-rule.json
	--query 'Summary.ARN'

The command output should return the ARN of the new WAFv2 web ACL:

"arn:aws:wafv2:us-east-1:123456789012:global/webacl/cc-cloudfront-web-acl1/0abcd123-abcd-1234-abcd-1234abcd1234"

Now that the AWS WAFv2 web ACL is ready for use, take the required steps to associate it with your Amazon Cloudfront distribution. Run get-distribution-config command (OSX/Linux/UNIX) to collect the configuration information from the CDN distribution that you want to protect with AWS WAFv2. The following command returns the configuration object of a web distribution identified by the ID "ABCABCABCABCAB":
```
aws cloudfront get-distribution-config
	--id ABCABCABCABCAB
```

The command output should return the selected distribution configuration information:

{
	"ETag": "123ABC123ABCD",
	"DistributionConfig": {
		"CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"Aliases": {
			"Quantity": 0
		},
		"DefaultRootObject": "",
		"Origins": {
			"Quantity": 1,
			"Items": [
				{
					"Id": "trendmicro-website.s3.us-east-1.amazonaws.com-1234abcd1234",
					"DomainName": "trendmicro-website.s3.us-east-1.amazonaws.com",
					"OriginPath": "",
					"CustomHeaders": {
						"Quantity": 0
					},
					"S3OriginConfig": {
						"OriginAccessIdentity": "",
						"OriginReadTimeout": 30
					},
					"ConnectionAttempts": 3,
					"ConnectionTimeout": 10,
					"OriginShield": {
						"Enabled": false
					},
					"OriginAccessControlId": "ABCABCABCABCAB"
				}
			]
		},
		"OriginGroups": {
			"Quantity": 0
		},
		"DefaultCacheBehavior": {
			"TargetOriginId": "trendmicro-website.s3.us-east-1.amazonaws.com-1234abcd1234",
			"TrustedSigners": {
				"Enabled": false,
				"Quantity": 0
			},
			"TrustedKeyGroups": {
				"Enabled": false,
				"Quantity": 0
			},
			"ViewerProtocolPolicy": "redirect-to-https",
			"AllowedMethods": {
				"Quantity": 2,
				"Items": [
					"HEAD",
					"GET"
				],
				"CachedMethods": {
					"Quantity": 2,
					"Items": [
						"HEAD",
						"GET"
					]
				}
			},
			"SmoothStreaming": false,
			"Compress": true,
			"LambdaFunctionAssociations": {
				"Quantity": 0
			},
			"FunctionAssociations": {
				"Quantity": 0
			},
			"FieldLevelEncryptionId": "",
			"CachePolicyId": "abcd1234-abcd-1234-abcd-1234abcd1234",
			"GrpcConfig": {
				"Enabled": false
			}
		},
		"CacheBehaviors": {
			"Quantity": 0
		},
		"CustomErrorResponses": {
			"Quantity": 0
		},
		"Comment": "",
		"Logging": {
			"Enabled": false,
			"IncludeCookies": false,
			"Bucket": "",
			"Prefix": ""
		},
		"PriceClass": "PriceClass_All",
		"Enabled": true,
		"ViewerCertificate": {
			"CloudFrontDefaultCertificate": true,
			"SSLSupportMethod": "vip",
			"MinimumProtocolVersion": "TLSv1",
			"CertificateSource": "cloudfront"
		},
		"Restrictions": {
			"GeoRestriction": {
				"RestrictionType": "none",
				"Quantity": 0
			}
		},
		"WebACLId": "",
		"HttpVersion": "http2",
		"IsIPV6Enabled": true,
		"ContinuousDeploymentPolicyId": "",
		"Staging": false
	}
}

Modify the distribution configuration returned in the previous step to attach the WAFv2 web ACL created earlier in the Remediation process by setting the web ACL ARN as value for the "WebACLId" attribute, as shown in the example below. Once the "WebACLId" attribute is configured, remove the "ETag" flag and save the new distribution configuration to a JSON document named cloudfront-wafv2-integration.json:

{
	"CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"Aliases": {
		"Quantity": 0
	},
	"DefaultRootObject": "",
	"Origins": {
		"Quantity": 1,
		"Items": [
			{
				"Id": "trendmicro-website.s3.us-east-1.amazonaws.com-1234abcd1234",
				"DomainName": "trendmicro-website.s3.us-east-1.amazonaws.com",
				"OriginPath": "",
				"CustomHeaders": {
					"Quantity": 0
				},
				"S3OriginConfig": {
					"OriginAccessIdentity": "",
					"OriginReadTimeout": 30
				},
				"ConnectionAttempts": 3,
				"ConnectionTimeout": 10,
				"OriginShield": {
					"Enabled": false
				},
				"OriginAccessControlId": "ABCABCABCABCAB"
			}
		]
	},
	"OriginGroups": {
		"Quantity": 0
	},
	"DefaultCacheBehavior": {
		"TargetOriginId": "trendmicro-website.s3.us-east-1.amazonaws.com-1234abcd1234",
		"TrustedSigners": {
			"Enabled": false,
			"Quantity": 0
		},
		"TrustedKeyGroups": {
			"Enabled": false,
			"Quantity": 0
		},
		"ViewerProtocolPolicy": "redirect-to-https",
		"AllowedMethods": {
			"Quantity": 2,
			"Items": [
				"HEAD",
				"GET"
			],
			"CachedMethods": {
				"Quantity": 2,
				"Items": [
					"HEAD",
					"GET"
				]
			}
		},
		"SmoothStreaming": false,
		"Compress": true,
		"LambdaFunctionAssociations": {
			"Quantity": 0
		},
		"FunctionAssociations": {
			"Quantity": 0
		},
		"FieldLevelEncryptionId": "",
		"CachePolicyId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"GrpcConfig": {
			"Enabled": false
		}
	},
	"CacheBehaviors": {
		"Quantity": 0
	},
	"CustomErrorResponses": {
		"Quantity": 0
	},
	"Comment": "",
	"Logging": {
		"Enabled": false,
		"IncludeCookies": false,
		"Bucket": "",
		"Prefix": ""
	},
	"PriceClass": "PriceClass_All",
	"Enabled": true,
	"ViewerCertificate": {
		"CloudFrontDefaultCertificate": true,
		"SSLSupportMethod": "vip",
		"MinimumProtocolVersion": "TLSv1",
		"CertificateSource": "cloudfront"
	},
	"Restrictions": {
		"GeoRestriction": {
			"RestrictionType": "none",
			"Quantity": 0
		}
	},
	"WebACLId": "arn:aws:wafv2:us-east-1:123456789012:global/webacl/cc-cloudfront-web-acl1/0abcd123-abcd-1234-abcd-1234abcd1234",
	"HttpVersion": "http2",
	"IsIPV6Enabled": true,
	"ContinuousDeploymentPolicyId": "",
	"Staging": false
}

Run cloudfront update-distribution command (OSX/Linux/UNIX) to update your Amazon Cloudfront distribution in order to integrate it with the AWS WAFv2 service. The following command example updates a CloudFront distribution with the ID "ABCABCABCABCAB" and ETag "123ABC123ABCD" (an ETag is a header ID exposed when a CDN distribution configuration is retrieved), using the distribution configuration modified in the previous step (i.e., cloudfront-wafv2-integration.json):
```
aws cloudfront update-distribution
	--id ABCABCABCABCAB
	--distribution-config file://cloudfront-wafv2-integration.json
	--if-match 123ABC123ABCD
	--query 'Distribution.Status'
```
The command output should return the current status of the modified Cloudfront distribution:
```
"InProgress"
```

References

AWS Command Line Interface (CLI) Documentation
list-web-acls
create-web-acl
update-distribution

Publication date Sep 16, 2025

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related WAF rules