ALB Is Not Integrated With WAF

  • Query id: 105ba098-1e34-48cd-b0f2-a8a43a51bf9b
  • Query name: ALB Is Not Integrated With WAF
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Networking and Firewall
  • URL: Github

Description

All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyLoadBalancer22:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      AvailabilityZones:
        - "us-east-2a"
      CrossZone: true
      Listeners:
        - InstancePort: "80"
          InstanceProtocol: HTTP
          LoadBalancerPort: "443"
          Protocol: HTTPS
          PolicyNames:
            - My-SSLNegotiation-Policy
          SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
      Scheme: internet-facing
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyLoadBalancerV2:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: myloadbalancerv2
      Scheme: internet-facing
Positive test num. 3 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "MyLoadBalancer22222222": {
      "Properties": {
        "Listeners": [
          {
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
            "InstancePort": "80",
            "InstanceProtocol": "HTTP",
            "LoadBalancerPort": "443",
            "Protocol": "HTTPS",
            "PolicyNames": [
              "My-SSLNegotiation-Policy"
            ]
          }
        ],
        "Scheme": "internet-facing",
        "AvailabilityZones": [
          "us-east-2a"
        ],
        "CrossZone": true
      },
      "Type": "AWS::ElasticLoadBalancing::LoadBalancer"
    }
  }
}

Positive test num. 4 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "MyLoadBalancerV22222": {
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
      "Properties": {
        "Scheme": "internet-facing",
        "Name": "myloadbalancerv2"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
    MyLoadBalancer9:
        Type: AWS::ElasticLoadBalancing::LoadBalancer
        Properties:
          AvailabilityZones:
          - "us-east-2a"
          CrossZone: true
          Listeners:
          - InstancePort: '80'
            InstanceProtocol: HTTP
            LoadBalancerPort: '443'
            Protocol: HTTPS
            PolicyNames:
            - My-SSLNegotiation-Policy
            SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
          Scheme: internet-facing
    MyWebACLAssociation:
      Type: "AWS::WAFRegional::WebACLAssociation"
      Properties:
        ResourceArn:
          Ref: MyLoadBalancer9
        WebACLId:
          Ref: MyWebACL
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "MyLoadBalancer8": {
      "Properties": {
        "Listeners": [
          {
            "PolicyNames": [
              "My-SSLNegotiation-Policy"
            ],
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
            "InstancePort": "80",
            "InstanceProtocol": "HTTP",
            "LoadBalancerPort": "443",
            "Protocol": "HTTPS"
          }
        ],
        "Scheme": "internet-facing",
        "AvailabilityZones": [
          "us-east-2a"
        ],
        "CrossZone": true
      },
      "Type": "AWS::ElasticLoadBalancing::LoadBalancer"
    },
    "MyWebACLAssociation": {
      "Type": "AWS::WAFRegional::WebACLAssociation",
      "Properties": {
        "WebACLId": {
          "Ref": "MyWebACL"
        },
        "ResourceArn": {
          "Ref": "MyLoadBalancer8"
        }
      }
    }
  }
}