Amazon WAF controls - Amazon Security Hub
[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled[WAF.2] Amazon WAF Classic Regional rules should have at least one condition[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group[WAF.6] Amazon WAF Classic global rules should have at least one condition[WAF.7] Amazon WAF Classic global rule groups should have at least one rule[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group[WAF.11] Amazon WAF web ACL logging should be enabled[WAF.12] Amazon WAF rules should have CloudWatch metrics enabled
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon WAF controls

These controls are related to Amazon WAF resources.

These controls may not be available in all Amazon Web Services Regions. For more information, see Availability of controls by Region.

[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled

Related requirements: NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-7(8)

Category: Identify > Logging

Severity: Medium

Resource type: AWS::WAF::WebACL

Amazon Config rule: waf-classic-logging-enabled

Schedule type: Periodic

Parameters: None

This control checks whether logging is enabled for an Amazon WAF global web ACL. This control fails if logging is not enabled for the web ACL.

Logging is an important part of maintaining the reliability, availability, and performance of Amazon WAF globally. It is a business and compliance requirement in many organizations, and allows you to troubleshoot application behavior. It also provides detailed information about the traffic that is analyzed by the web ACL that is attached to Amazon WAF.

Remediation

To enable logging for an Amazon WAF web ACL, see Logging web ACL traffic information in the Amazon WAF Developer Guide.

[WAF.2] Amazon WAF Classic Regional rules should have at least one condition

Related requirements: NIST.800-53.r5 AC-4(21), NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21)

Category: Protect > Secure network configuration

Severity: Medium

Resource type: AWS::WAFRegional::Rule

Amazon Config rule: waf-regional-rule-not-empty

Schedule type: Change triggered

Parameters: None

This control checks whether an Amazon WAF Regional rule has at least one condition. The control fails if no conditions are present within a rule.

A WAF Regional rule can contain multiple conditions. The rule's conditions allow for traffic inspection and take a defined action (allow, block, or count). Without any conditions, the traffic passes without inspection. A WAF Regional rule with no conditions, but with a name or tag suggesting allow, block, or count, could lead to the wrong assumption that one of those actions is occurring.

Remediation

To add a condition to an empty rule, see Adding and removing conditions in a rule in the Amazon WAF Developer Guide.

[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule

Related requirements: NIST.800-53.r5 AC-4(21), NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21)

Category: Protect > Secure network configuration

Severity: Medium

Resource type: AWS::WAFRegional::RuleGroup

Amazon Config rule: waf-regional-rulegroup-not-empty

Schedule type: Change triggered

Parameters: None

This control checks whether an Amazon WAF Regional rule group has at least one rule. The control fails if no rules are present within a rule group.

A WAF Regional rule group can contain multiple rules. The rule's conditions allow for traffic inspection and take a defined action (allow, block, or count). Without any rules, the traffic passes without inspection. A WAF Regional rule group with no rules, but with a name or tag suggesting allow, block, or count, could lead to the wrong assumption that one of those actions is occurring.

Remediation

To add rules and rule conditions to an empty rule group, see Adding and deleting rules from an Amazon WAF Classic rule group and Adding and removing conditions in a rule in the Amazon WAF Developer Guide.

[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group

Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2

Category: Protect > Secure network configuration

Severity: Medium

Resource type: AWS::WAFRegional::WebACL

Amazon Config rule: waf-regional-webacl-not-empty

Schedule type: Change triggered

Parameters: None

This control checks whether an Amazon WAF Classic Regional web ACL contains any WAF rules or WAF rule groups. This control fails if a web ACL does not contain any WAF rules or rule groups.

A WAF Regional web ACL can contain a collection of rules and rule groups that inspect and control web requests. If a web ACL is empty, the web traffic can pass without being detected or acted upon by WAF depending on the default action.

Remediation

To add rules or rule groups to an empty Amazon WAF Classic Regional web ACL, see Editing a Web ACL in the Amazon WAF Developer Guide.

[WAF.6] Amazon WAF Classic global rules should have at least one condition

Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2

Category: Protect > Secure network configuration

Severity: Medium

Resource type: AWS::WAF::Rule

Amazon Config rule: waf-global-rule-not-empty

Schedule type: Change triggered

Parameters: None

This control checks whether an Amazon WAF global rule contains any conditions. The control fails if no conditions are present within a rule.

A WAF global rule can contain multiple conditions. A rule's conditions allow for traffic inspection and take a defined action (allow, block, or count). Without any conditions, the traffic passes without inspection. A WAF global rule with no conditions, but with a name or tag suggesting allow, block, or count, could lead to the wrong assumption that one of those actions is occurring.

Remediation

For instructions on creating a rule and adding conditions, see Creating a rule and adding conditions in the Amazon WAF Developer Guide.

[WAF.7] Amazon WAF Classic global rule groups should have at least one rule

Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2

Category: Protect > Secure network configuration

Severity: Medium

Resource type: AWS::WAF::RuleGroup

Amazon Config rule: waf-global-rulegroup-not-empty

Schedule type: Change triggered

Parameters: None

This control checks whether an Amazon WAF global rule group has at least one rule. The control fails if no rules are present within a rule group.

A WAF global rule group can contain multiple rules. The rule's conditions allow for traffic inspection and take a defined action (allow, block, or count). Without any rules, the traffic passes without inspection. A WAF global rule group with no rules, but with a name or tag suggesting allow, block, or count, could lead to the wrong assumption that one of those actions is occurring.

Remediation

For instructions on adding a rule to a rule group, see Creating an Amazon WAF Classic rule group in the Amazon WAF Developer Guide.

[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group

Related requirements: NIST.800-53.r5 AC-4(21), NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21)

Category: Protect > Secure network configuration

Severity: Medium

Resource type: AWS::WAF::WebACL

Amazon Config rule: waf-global-webacl-not-empty

Schedule type: Change triggered

Parameters: None

This control checks whether an Amazon WAF global web ACL contains at least one WAF rule or WAF rule group. The control fails if a web ACL does not contain any WAF rules or rule groups.

A WAF global web ACL can contain a collection of rules and rule groups that inspect and control web requests. If a web ACL is empty, the web traffic can pass without being detected or acted upon by WAF depending on the default action.

Remediation

To add rules or rule groups to an empty Amazon WAF global web ACL, see Editing a web ACL in the Amazon WAF Developer Guide. For Filter, choose Global (CloudFront).

[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group

Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2

Category: Protect > Secure network configuration

Severity: Medium

Resource type: AWS::WAFv2::WebACL

Amazon Config rule: wafv2-webacl-not-empty

Schedule type: Change triggered

Parameters: None

This control checks whether an Amazon WAFV2 web access control list (web ACL) contains at least one rule or rule group. The control fails if a web ACL does not contain any rules or rule groups.

A web ACL gives you fine-grained control over all of the HTTP(S) web requests that your protected resource responds to. A web ACL should contain a collection of rules and rule groups that inspect and control web requests. If a web ACL is empty, the web traffic can pass without being detected or acted upon by Amazon WAF depending on the default action.

Remediation

To add rules or rule groups to an empty WAFV2 web ACL, see Editing a Web ACL in the Amazon WAF Developer Guide.

[WAF.11] Amazon WAF web ACL logging should be enabled

Related requirements: NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-7(8)

Category: Identify > Logging

Severity: Low

Resource type: AWS::WAFv2::WebACL

Amazon Config rule: wafv2-logging-enabled

Schedule type: Periodic

Parameters: None

This control checks whether logging is activated for an Amazon WAFV2 web access control list (web ACL). This control fails if logging is deactivated for the web ACL.

Logging maintains the reliability, availability, and performance of Amazon WAF. In addition, logging is a business and compliance requirement in many organizations. By logging traffic that's analyzed by your web ACL, you can troubleshoot application behavior.

Remediation

To activate logging for an Amazon WAF web ACL, see Managing logging for a web ACL in the Amazon WAF Developer Guide.

[WAF.12] Amazon WAF rules should have CloudWatch metrics enabled

Related requirements: NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-7(8)

Category: Identify > Logging

Severity: Medium

Resource type: AWS::WAFv2::RuleGroup

Amazon Config rule: wafv2-rulegroup-logging-enabled

Schedule type: Change triggered

Parameters: None

This control checks whether an Amazon WAF rule or rule group has Amazon CloudWatch metrics enabled. The control fails if the rule or rule group doesn't have CloudWatch metrics enabled.

Configuring CloudWatch metrics on Amazon WAF rules and rule groups provides visibility into traffic flow. You can see which ACL rules are triggered and which requests are accepted and blocked. This visibility can help you identify malicious activity on your associated resources.

Remediation

To enable CloudWatch metrics on an Amazon WAF rule group, invoke the UpdateRuleGroup API. To enable CloudWatch metrics on an Amazon WAF rule, invoke the UpdateWebACL API. Set the CloudWatchMetricsEnabled field to true. When you use the Amazon WAF console to create rules or rule groups, CloudWatch metrics are automatically enabled.