Rule: ELB Application Load Balancers Should Have Web Application Firewall (WAF) Enabled
This rule requires ELB application load balancers to have WAF enabled for enhanced security measures.
| Rule | ELB application load balancers should have Web Application Firewall (WAF) enabled |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Medium |
Rule Description:
ELB (Elastic Load Balancer) application load balancers used in an environment adhering to FedRAMP Low Revision 4 must have the Web Application Firewall (WAF) enabled. The WAF provides an additional layer of security by analyzing incoming traffic and blocking any suspicious or malicious requests targeting web applications hosted behind the load balancer.
Troubleshooting Steps:
If the WAF is not enabled for the ELB application load balancers in your environment, follow these troubleshooting steps:
- 1.
Check ELB Configuration: Verify if the ELB configuration supports the use of a WAF. Ensure that the load balancers are using application load balancers rather than network load balancers, as WAF is not available for network load balancers.
- 2.
Check WAF Availability: Ensure that the WAF service is available in the specific AWS region where your load balancer is deployed. Certain AWS regions may not have WAF support, so choose a region that supports both ELB and WAF.
- 3.
Check IAM Permissions: Make sure that the AWS Identity and Access Management (IAM) user or role associated with the load balancer has sufficient permissions to enable the WAF. The user or role should have the necessary permissions to create and manage WAF resources.
- 4.
Verify WAF Association: Ensure that the WAF is associated with the appropriate resources behind the load balancer. Verify that the WAF rules and web ACLs (Access Control Lists) are correctly configured to protect the web applications.
Necessary Codes:
No specific codes are required for this rule. Configuration changes will be made via the AWS Management Console or the AWS Command Line Interface (CLI).
Remediation Steps:
Follow these step-by-step instructions to enable Web Application Firewall (WAF) for your ELB application load balancers:
- 1.
Login to the AWS Management Console.
- 2.
Navigate to the EC2 service.
- 3.
Select "Load Balancers" from the left navigation pane.
- 4.
Identify the ELB application load balancer that needs WAF enabled and click on it.
- 5.
In the load balancer details page, go to the "Listeners" tab.
- 6.
Identify the listener/port that requires WAF protection and click on the pencil/edit icon next to it.
- 7.
In the listener configuration, scroll down to the "WAF" section.
- 8.
Click on the "Add/Edit WAF" button.
- 9.
If you have an existing WebACL, select it from the dropdown. Otherwise, click on the "Create WebACL" button to configure a new WebACL.
- 10.
Configure the WebACL rules specific to your application's security requirements. This may include setting up conditions, rulesets, and other filters.
- 11.
Once the WebACL is configured, click on the "Save" button.
- 12.
On the listener configuration page, click on the "Save" button to apply WAF to the selected listener.
- 13.
Repeat the above steps for any additional listeners that require WAF protection.
- 14.
Verify that the WAF is successfully enabled by checking the load balancer's "Description" tab, which should now indicate WAF settings.
- 15.
Test your web applications to ensure they are functioning correctly with the newly enabled WAF.
By following these steps, you can enable Web Application Firewall (WAF) for your ELB application load balancers and enhance the security of your environment, meeting the FedRAMP Low Revision 4 requirement.