WebACL Rules Should Not Be In Count Mode
More Info:
Identify which all webacl rules are in count mode for each AWS AccountRisk Level
CriticalAddress
SecurityCompliance Standards
ISO27001, PCIDSS, CISAWS, GDPRTriage and Remediation
Remediation
Using Console
Using Console
Here are the step-by-step instructions to remediate the misconfiguration:
- Open the AWS Management Console and navigate to AWS WAF & Shield.
- In the navigation pane, choose “Web ACLs”.
- In the Web ACLs section, choose the WebACL that you need to modify.
- In the Rules section, find the rule that is in Count mode.
- Click on the pencil icon or ‘Edit’ to modify the rule.
- In the Edit rule pane, under the Action setting, select “Block” if you want AWS WAF to block requests that match the conditions in the rule. If you want AWS WAF to allow requests that match the conditions in the rule, choose “Allow”. Don’t choose “Count” as this just increments a counter of the requests that match the conditions in the rule.
- Click on ‘Update’ to save the changes.
- Repeat the steps for all rules that are in Count mode.
- After you have updated all the rules, make sure to review and confirm all changes.
Using CLI
Using CLI
WebACL rules should not be in count mode because this mode only counts the web requests that match the properties of a rule, but does not block or allow them. Here are the steps to remediate this misconfiguration using AWS CLI:Step 1: Install AWS CLI
Firstly, you need to install AWS CLI on your system. You can download it from the official AWS website.Step 2: Configure AWS CLI
Once installed, you need to configure AWS CLI with your AWS account details. You can do this by running the following command in your terminal:You’ll be prompted to enter your AWS Access Key ID, Secret Access Key, default region name, and default output format. Enter these details correctly.Step 3: List WebACLs
Next, you need to list all the WebACLs in your account. You can use the following command:This will list all the WebACLs in your account.Step 4: Identify WebACLs in Count Mode
Go through the list of WebACLs and identify the ones that are in count mode. You can do this by checking the “DefaultAction” field of each WebACL. If it is set to “COUNT”, the WebACL is in count mode.Step 5: Change DefaultAction to Block or Allow
Once you’ve identified the WebACLs in count mode, you need to change their DefaultAction to either “BLOCK” or “ALLOW”. You can use the following co the DefaultAction of the WebACL to “ALLOW”. If you want to change it to “BLOCK”, replace Allow= with Block=.
mmand:Replace name with the name of the WebACL, id with the ID of the WebACL, and lock-token with the lock token of the WebACL. This command will change
Step 6: Verify the Changes
Finally, verify the changes by listing the WebACLs again and checking their DefaultAction. If it is set to “BLOCK” or “ALLOW”, the remediation was successful.Remember to replace all the placeholders with actual values. Also, ensßure that you have the necessary permissions to perform these actions.
Using Python
Using Python
The WebACL rules in count mode essentially means that the rule is only counting the matches for a rule without any action. This configuration can be useful for testing, but in a production environment, it’s recommended to change it to block or allow mode.Here’s how to remediate this misconfiguration using AWS SDK for Python (Boto3):
-
First, install Boto3 if it’s not already installed. You can do this by running the following command in your terminal:
-
Import the necessary modules and set up your AWS credentials:
-
Create a session using your credentials:
-
Now, use the session to create a client for AWS WAF (Web Application Firewall):
-
Get the list of WebACLs:
-
Iterate over the WebACLs and check if any rules are in count mode:
-
To change the rules from count mode to block mode, you need to update the rule: