ALB Is Not Integrated With WAF
- Query id: 0afa6ab8-a047-48cf-be07-93a2f8c34cf7
- Query name: ALB Is Not Integrated With WAF
- Platform: Terraform
- Severity: Medium
- Category: Networking and Firewall
- CWE: 778
- URL: Github
Description¶
All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_alb" "foo" {
internal = false
subnets = [aws_subnet.foo.id, aws_subnet.bar.id]
}
resource "aws_wafregional_web_acl_association" "foo_waf" {
resource_arn = aws_alb.fooooo.arn
web_acl_id = aws_wafregional_web_acl.foo.id
}
Positive test num. 2 - tf file
resource "aws_lb" "alb" {
name = "test-lb-tf"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.lb_sg.id]
subnets = [for subnet in aws_subnet.public : subnet.id]
}
resource "aws_wafv2_web_acl_association" "alb_waf_association" {
resource_arn = aws_lb.alba.arn
web_acl_arn = aws_wafv2_web_acl.example.arn
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_alb" "foo33" {
internal = false
subnets = [aws_subnet.foo.id, aws_subnet.bar.id]
}
resource "aws_wafregional_web_acl_association" "foo_waf33" {
resource_arn = aws_alb.foo33.arn
web_acl_id = aws_wafregional_web_acl.foo.id
}
# trigger validation
Negative test num. 2 - tf file
resource "aws_lb" "alb" {
name = "test-lb-tf"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.lb_sg.id]
subnets = [for subnet in aws_subnet.public : subnet.id]
}
resource "aws_wafv2_web_acl_association" "alb_waf_association" {
resource_arn = aws_lb.alb.arn
web_acl_arn = aws_wafv2_web_acl.example.arn
}