Rule: ELB Application Load Balancers Should Have WAF Enabled
This rule states that ELB application load balancers must have Web Application Firewall (WAF) enabled to enhance security.
| Rule | ELB application load balancers should have Web Application Firewall (WAF) enabled |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Medium |
Rule Description:
ELB application load balancers must have Web Application Firewall (WAF) enabled to ensure compliance with FedRAMP Low Revision 4 requirements. This rule helps protect web applications hosted on the load balancers from common web-based attacks, such as SQL injection, cross-site scripting (XSS), and application layer DDoS attacks.
Troubleshooting Steps:
If Web Application Firewall (WAF) is not enabled for the ELB application load balancer, follow these troubleshooting steps to enable it:
- 1.Verify that the ELB application load balancer is indeed missing WAF configuration.
- 2.Check the AWS Management Console or use AWS CLI to confirm the current configuration.
- 3.If WAF is not enabled, proceed to the next steps for remediation.
Necessary Code:
AWS CLI command to enable WAF on an existing ELB application load balancer:
aws wafv2 create-web-acl \ --name <WAF_ACL_NAME> \ --scope REGIONAL \ --default-action Action=ALLOW \ --rules "Action=BLOCK,Priority=1,RuleGroupReference='AWSManagedRulesAmazonIpReputationList'" "Action=BLOCK,Priority=2,RuleGroupReference='AWSManagedRulesCommonRuleSet'" "Action=BLOCK,Priority=3,RuleGroupReference='AWSManagedRulesKnownBadInputsRuleSet'" \ --tags Key=<TAG_KEY>,Value=<TAG_VALUE>
Note: Replace
<WAF_ACL_NAME>--rulesStep-by-Step Guide for Remediation:
Follow these step-by-step instructions to enable Web Application Firewall (WAF) on an existing ELB application load balancer:
- 1.Open the AWS Management Console and navigate to the EC2 service.
- 2.In the EC2 dashboard, click on "Load Balancers" in the sidebar.
- 3.Select the ELB application load balancer that needs WAF enabled.
- 4.Make sure the load balancer is in the same AWS Region as your CLI configuration or console session.
- 5.Click on the "Listeners" tab in the load balancer details view.
- 6.Identify the appropriate listener and note down the listener's port.
- 7.Open the AWS Command Line Interface (CLI) or use the AWS Management Console.
- 8.Run the necessary AWS CLI command mentioned above to create the Web Application Firewall (WAF) for the chosen listener port. Adjust the command based on your specific requirements.
- 9.Monitor the progress of WAF creation through the CLI or console.
- 10.Once the WAF ACL is created successfully, associate it with the listener port by using the AWS CLI or Console.
- 11.Test your application with various security scans or penetration testing tools to ensure WAF is functioning correctly.
- 12.Monitor the WAF logs and metrics to detect any potential security incidents or violations.
- 13.Regularly update and maintain the WAF rules and configurations to align with ongoing web application security needs.
By following these steps, you can ensure that your ELB application load balancers comply with the FedRAMP Low Revision 4 requirements by enabling Web Application Firewall (WAF) for enhanced security.