-
Notifications
You must be signed in to change notification settings - Fork 177
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add AWS WAF WebACL Has Associated Resources policy
- Loading branch information
bcpenta
authored and
bcpenta
committed
Oct 22, 2024
1 parent
03ed81c
commit 3c93514
Showing
2 changed files
with
53 additions
and
0 deletions.
There are no files selected for viewing
4 changes: 4 additions & 0 deletions
4
policies/aws_waf_policies/aws_waf_webacl_has_associated_resources.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| def policy(resource): | ||
| # Check if the WebACL has any associated resources | ||
| associations = resource.get("AssociatedResources", []) | ||
| return len(associations) > 0 |
49 changes: 49 additions & 0 deletions
49
policies/aws_waf_policies/aws_waf_webacl_has_associated_resources.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| AnalysisType: policy | ||
| Filename: aws_waf_webacl_has_associated_resources.py | ||
| PolicyID: "AWS.WAF.WebACLHasAssociatedResources" | ||
| DisplayName: "AWS WAF WebACL Has Associated Resources" | ||
| Enabled: true | ||
| ResourceTypes: | ||
| - AWS.WAF.Regional.WebACL | ||
| - AWS.WAF.WebACL | ||
| Tags: | ||
| - AWS | ||
| - Security Control | ||
| - Optimization | ||
| Severity: Medium | ||
| Description: > | ||
| This policy ensures that AWS WAF WebACLs are associated with at least one resource (ALB, CloudFront Distribution, or API Gateway). If a WebACL is not associated with any resources, it is inactive and not providing any protection. | ||
| Runbook: > | ||
| Associate the WAF WebACL with at least one resource, such as an Application Load Balancer (ALB), CloudFront Distribution, or API Gateway. WebACLs that are not associated with resources do not protect any traffic. | ||
| Reference: https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associate.html | ||
| Tests: | ||
| - Name: WebACL Associated with Resources | ||
| ExpectedResult: true | ||
| Resource: | ||
| { | ||
| "ResourceType": "AWS.WAF.WebACL", | ||
| "AssociatedResources": | ||
| [ | ||
| "arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-app", | ||
| "arn:aws:cloudfront::123456789012:distribution/EXAMPLE" | ||
| ] | ||
| } | ||
|
|
||
| - Name: WebACL Not Associated with Resources | ||
| ExpectedResult: false | ||
| Resource: | ||
| { | ||
| "ResourceType": "AWS.WAF.WebACL", | ||
| "AssociatedResources": [] | ||
| } | ||
|
|
||
| - Name: WebACL Associated with Single Resource | ||
| ExpectedResult: true | ||
| Resource: | ||
| { | ||
| "ResourceType": "AWS.WAF.WebACL", | ||
| "AssociatedResources": | ||
| [ | ||
| "arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-app" | ||
| ] | ||
| } |