ALB Is Not Integrated With WAF
- Query id: 105ba098-1e34-48cd-b0f2-a8a43a51bf9b
- Query name: ALB Is Not Integrated With WAF
- Platform: CloudFormation
- Severity: Medium
- Category: Networking and Firewall
- URL: Github
Description¶
All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
MyLoadBalancer22:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "us-east-2a"
CrossZone: true
Listeners:
- InstancePort: "80"
InstanceProtocol: HTTP
LoadBalancerPort: "443"
Protocol: HTTPS
PolicyNames:
- My-SSLNegotiation-Policy
SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
Scheme: internet-facing
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
MyLoadBalancerV2:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: myloadbalancerv2
Scheme: internet-facing
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"MyLoadBalancer22222222": {
"Properties": {
"Listeners": [
{
"SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
"InstancePort": "80",
"InstanceProtocol": "HTTP",
"LoadBalancerPort": "443",
"Protocol": "HTTPS",
"PolicyNames": [
"My-SSLNegotiation-Policy"
]
}
],
"Scheme": "internet-facing",
"AvailabilityZones": [
"us-east-2a"
],
"CrossZone": true
},
"Type": "AWS::ElasticLoadBalancing::LoadBalancer"
}
}
}
Positive test num. 4 - json file
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
MyLoadBalancer9:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "us-east-2a"
CrossZone: true
Listeners:
- InstancePort: '80'
InstanceProtocol: HTTP
LoadBalancerPort: '443'
Protocol: HTTPS
PolicyNames:
- My-SSLNegotiation-Policy
SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
Scheme: internet-facing
MyWebACLAssociation:
Type: "AWS::WAFRegional::WebACLAssociation"
Properties:
ResourceArn:
Ref: MyLoadBalancer9
WebACLId:
Ref: MyWebACL
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"MyLoadBalancer8": {
"Properties": {
"Listeners": [
{
"PolicyNames": [
"My-SSLNegotiation-Policy"
],
"SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
"InstancePort": "80",
"InstanceProtocol": "HTTP",
"LoadBalancerPort": "443",
"Protocol": "HTTPS"
}
],
"Scheme": "internet-facing",
"AvailabilityZones": [
"us-east-2a"
],
"CrossZone": true
},
"Type": "AWS::ElasticLoadBalancing::LoadBalancer"
},
"MyWebACLAssociation": {
"Type": "AWS::WAFRegional::WebACLAssociation",
"Properties": {
"WebACLId": {
"Ref": "MyWebACL"
},
"ResourceArn": {
"Ref": "MyLoadBalancer8"
}
}
}
}
}