Default WebACL Action Without Rules Should Be Allowed

Using Console

Using CLI

AWS WAF (Web Application Firewall) protects your web applications from common web exploits. In AWS WAF, a WebACL is a collection of rules that you can use to regulate the traffic to your web applications. The default action for a WebACL determines what AWS WAF does when a request doesn’t match any of the rules in the WebACL.If the default action is set to “ALLOW” without any rules, it means that all incoming traffic will be allowed, which could potentially expose your application to malicious traffic.Here are the steps to remediate this misconfiguration:

First, you need to identify the WebACL that has the default action set to “ALLOW” without any rules. You can do this using the AWS CLI command:

aws wafv2 list-web-acls --scope REGIONAL

The output will give you a list of WebACLs. Identify the one you want to modify and note its ID and ARN.
Once you have the WebACL ID, you can check its rules and default action by using the following command:

aws wafv2 get-web-acl --scope REGIONAL --id <WebACL ID> --name <WebACL Name> --region <Region>

Replace <WebACL ID>, <WebACL Name>, and <Region> with the actual values.

If the default action is “ALLOW” and there are no rules, you should add a rule to block or count the requests that match certain conditions. Here is an example of how to add a rule:

aws wafv2 update-web-acl --scope REGIONAL --id <WebACL ID> --name <WebACL Name> --default-action Block={} --rules '[{ "Name": "Rule1", "Priority": 1, "Action": { "Block": {} }, "Statement": { "IPSetReferenceStatement": { "ARN": "<IPSet ARN>" } }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "Rule1" } }]' --region <Region>

Replace <WebACL ID>, <WebACL Name>, <IPSet ARN>, and <Region> with the actual values. This command creates a rule that blocks requests from IP addresses defined in the specified IP set.

After adding the rule, verify the changes by retrieving the WebACL information again:

aws wafv2 get-web-acl --scope REGIONAL --id <WebACL ID> --name <WebACL Name> --region <Region>

This should now show the added rule and the default action should still be “ALLOW”. However, because there’s a rule that blocks certain requests, not all traffic will be allowed by default.Remember to replace <WebACL ID>, <WebACL Name>, and <Region> with the actual values.Please note that you need to have the necessary permissions to perform these actions. Also, the AWS CLI commands should be run from a machine where AWS CLI is installed and configured with your AWS account.

Using Python

To remediate this issue, you need to change the default action for your AWS WAF (Web Application Firewall) WebACL (Access Control List) to “ALLOW”. This means that if a request doesn’t match any of the rules in the WebACL, the request will be allowed.Here’s a step-by-step guide on how to remediate this issue using Python and the Boto3 library, which allows you to directly interact with AWS services:

Install Boto3: First, you need to install Boto3 if you haven’t done so already. You can do this by running pip install boto3 in your command line.
Import Boto3: In your Python script, import the Boto3 library by adding import boto3.
Create a WAF Client: Next, create a WAF client. This allows you to interact with AWS WAF. Here’s an example:

waf = boto3.client('waf')

Get WebACL: You need to get the WebACL that you want to update. You can do this using the get_web_acl method and passing the WebACL ID. Here’s an example:

response = waf.get_web_acl(
    WebACLId='example1-1a1a-1a1a-1a1a-1234567890ab'
)

Update Default Action: Now you can update the default action for the WebACL to “ALLOW”. You can do this using the update_web_acl method. Here’s an example:

response = waf.update_web_acl(
    WebACLId='example1-1a1a-1a1a-1a1a-1234567890ab',
    ChangeToken='abcd12f2-46da-4fdb-b8d5-fbd4c466928f',
    DefaultAction={
        'Type': 'ALLOW'
    }
)

The ChangeToken parameter is a value that you get from a call to get_change_token, and you use it to ensure that your change request is submitted without any intervening updates.

Error Handling: Make sure to add appropriate error handling to your script. For example, you might want to catch exceptions if the WebACL doesn’t exist or if there’s an issue with the provided ChangeToken.

Remember to replace the ‘WebACLId’ and ‘ChangeToken’ with your actual WebACL ID and ChangeToken. After running this script, the default action for your WebACL should now be “ALLOW”.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Default WebACL Action Without Rules Should Be Allowed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation