> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# WebACL Rules Should Not Be In Count Mode

### More Info:

Identify which all webacl rules are in count mode for each AWS Account

### Risk Level

Critical

### Address

Security

### Compliance Standards

ISO27001, PCIDSS, CISAWS, GDPR

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Here are the step-by-step instructions to remediate the misconfiguration:

        1. Open the AWS Management Console and navigate to AWS WAF & Shield.

        2. In the navigation pane, choose "Web ACLs".

        3. In the Web ACLs section, choose the WebACL that you need to modify.

        4. In the Rules section, find the rule that is in Count mode.

        5. Click on the pencil icon or 'Edit' to modify the rule.

        6. In the Edit rule pane, under the Action setting, select "Block" if you want AWS WAF to block requests that match the conditions in the rule. If you want AWS WAF to allow requests that match the conditions in the rule, choose "Allow". Don't choose "Count" as this just increments a counter of the requests that match the conditions in the rule.

        7. Click on 'Update' to save the changes.

        8. Repeat the steps for all rules that are in Count mode.

        9. After you have updated all the rules, make sure to review and confirm all changes.

        Remember, the changes you make will only apply to the AWS resources (like Amazon CloudFront distributions) that are associated with the selected WebACL.
      </Accordion>

      <Accordion title="Using CLI">
        WebACL rules should not be in count mode because this mode only counts the web requests that match the properties of a rule, but does not block or allow them. Here are the steps to remediate this misconfiguration using AWS CLI:

        Step 1: Install AWS CLI
        Firstly, you need to install AWS CLI on your system. You can download it from the official AWS website.

        Step 2: Configure AWS CLI
        Once installed, you need to configure AWS CLI with your AWS account details. You can do this by running the following command in your terminal:

        ```
        aws configure
        ```

        You'll be prompted to enter your AWS Access Key ID, Secret Access Key, default region name, and default output format. Enter these details correctly.

        Step 3: List WebACLs
        Next, you need to list all the WebACLs in your account. You can use the following command:

        ```
        aws wafv2 list-web-acls --scope REGIONAL
        ```

        This will list all the WebACLs in your account.

        Step 4: Identify WebACLs in Count Mode
        Go through the list of WebACLs and identify the ones that are in count mode. You can do this by checking the "DefaultAction" field of each WebACL. If it is set to "COUNT", the WebACL is in count mode.

        Step 5: Change DefaultAction to Block or Allow
        Once you've identified the WebACLs in count mode, you need to change their DefaultAction to either "BLOCK" or "ALLOW". You can use the following co the DefaultAction of the WebACL to "ALLOW". If you want to change it to "BLOCK", replace Allow={} with Block={}.
        mmand:

        ```
        aws wafv2 update-web-acl --name <name> --scope REGIONAL --id <id> --default-action Allow={} --lock-token lock-token
        ```

        Replace name with the name of the WebACL, id with the ID of the WebACL, and lock-token with the lock token of the WebACL. This command will change
        Step 6: Verify the Changes
        Finally, verify the changes by listing the WebACLs again and checking their DefaultAction. If it is set to "BLOCK" or "ALLOW", the remediation was successful.

        Remember to replace all the placeholders with actual values. Also, ensßure that you have the necessary permissions to perform these actions.
      </Accordion>

      <Accordion title="Using Python">
        The WebACL rules in count mode essentially means that the rule is only counting the matches for a rule without any action. This configuration can be useful for testing, but in a production environment, it's recommended to change it to block or allow mode.

        Here's how to remediate this misconfiguration using AWS SDK for Python (Boto3):

        1. First, install Boto3 if it's not already installed. You can do this by running the following command in your terminal:
           ```
           pip install boto3
           ```

        2. Import the necessary modules and set up your AWS credentials:

           ```python theme={null}
           import boto3
           from botocore.exceptions import NoCredentialsError

           ACCESS_KEY = 'YOUR_ACCESS_KEY'
           SECRET_KEY = 'YOUR_SECRET_KEY'
           ```

        3. Create a session using your credentials:

           ```python theme={null}
           session = boto3.Session(
               aws_access_key_id=ACCESS_KEY,
               aws_secret_access_key=SECRET_KEY
           )
           ```

        4. Now, use the session to create a client for AWS WAF (Web Application Firewall):

           ```python theme={null}
           client = session.client('waf')
           ```

        5. Get the list of WebACLs:

           ```python theme={null}
           webacls = client.list_web_acls(Limit=100)
           ```

        6. Iterate over the WebACLs and check if any rules are in count mode:

           ```python theme={null}
           for webacl in webacls['WebACLs']:
               webacl_id = webacl['WebACLId']
               webacl_rules = client.get_web_acl(WebACLId=webacl_id)['WebACL']['Rules']

               for rule in webacl_rules:
                   if rule['Type'] == 'REGULAR' and rule['Action']['Type'] == 'COUNT':
                       print(f"WebACL {webacl_id} has a rule in count mode")
           ```

        7. To change the rules from count mode to block mode, you need to update the rule:

           ```python theme={null}
           for webacl in webacls['WebACLs']:
               webacl_id = webacl['WebACLId']
               webacl_rules = client.get_web_acl(WebACLId=webacl_id)['WebACL']['Rules']

               for rule in webacl_rules:
                   if rule['Type'] == 'REGULAR' and rule['Action']['Type'] == 'COUNT':
                       rule_id = rule['RuleId']
                       client.update_rule(Action='BLOCK', RuleId=rule_id)
           ```

        Please note that you need to replace 'YOUR\_ACCESS\_KEY' and 'YOUR\_SECRET\_KEY' with your actual AWS access key and secret key. Also, make sure that the user associated with the keys has the necessary permissions to list and update WebACLs.

        Remember to handle exceptions and errors appropriately in your production code.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>
