--- policy: /ce/ca/aws/waf/web-acl-without-rules logic: /ce/ca/aws/waf/web-acl-without-rules/prod.logic.yaml executionTime: 2026-02-10T22:33:23.177566801Z generationMs: 91 executionMs: 1000 rows: - id: test1 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 199 actual: 199 conditionText: expected: CA10__AWS_WAF_Rules__r.hasNo(COMPLIANT) && CA10A1__AWS_WAF_Rule_Groups__r.hasNo(COMPLIANT) && CA10__AWS_WAF_Web_ACL_Activated_Rules__r.hasNo(COMPLIANT) actual: CA10__AWS_WAF_Rules__r.hasNo(COMPLIANT) && CA10A1__AWS_WAF_Rule_Groups__r.hasNo(COMPLIANT) && CA10__AWS_WAF_Web_ACL_Activated_Rules__r.hasNo(COMPLIANT) runtimeError: {} - id: test2 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 200 actual: 200 conditionText: expected: otherwise actual: otherwise runtimeError: {} usedFiles: - path: /ce/ca/aws/waf/web-acl-without-rules/policy.yaml md5Hash: 1FC18725633901D4FC1712B00592F130 content: | --- names: full: "AWS WAF Web ACL has no WAF Rules or WAF Rule Groups" contextual: "Web ACL has no WAF Rules or WAF Rule Groups" description: "Ensure that AWS WAF web ACLs have at least one rule or rule group\ \ to provide protection against common web exploits and malicious traffic." type: "COMPLIANCE_POLICY" categories: - "SECURITY" frameworkMappings: - "/frameworks/cloudaware/resource-security/threat-protection" - "/frameworks/aws-fsbp-v1.0.0/waf/04" - "/frameworks/aws-fsbp-v1.0.0/waf/08" - "/frameworks/aws-fsbp-v1.0.0/waf/10" - "/frameworks/aws-well-architected/sec/05/03" similarPolicies: awsSecurityHub: - name: "[WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group" url: "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-4" - name: "[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group" url: "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-8" - name: "[WAF.10] AWS WAF web ACLs should have at least one rule or rule group" url: "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-10" - path: /ce/ca/aws/waf/web-acl-without-rules/prod.logic.yaml md5Hash: 2C87AF55F66F130082DA7EB3D25A1634 content: | --- inputType: "CA10__CaAwsWafWebAcl__c" testData: - file: "test-data.json" conditions: - status: "INCOMPLIANT" currentStateMessage: "The WAF web ACL does not have any rules or rule groups configured." remediationMessage: "Add at least one rule or rule group to the web ACL to provide protection." check: AND: args: - RELATED_LIST_HAS_NO: status: "COMPLIANT" relationshipName: "CA10__AWS_WAF_Rules__r" - RELATED_LIST_HAS_NO: status: "COMPLIANT" relationshipName: "CA10A1__AWS_WAF_Rule_Groups__r" - RELATED_LIST_HAS_NO: status: "COMPLIANT" relationshipName: "CA10__AWS_WAF_Web_ACL_Activated_Rules__r" otherwise: status: "COMPLIANT" currentStateMessage: "The WAF web ACL has at least one rule or rule group configured." relatedLists: - relationshipName: "CA10__AWS_WAF_Rules__r" conditions: [] otherwise: status: "COMPLIANT" currentStateMessage: "Rule exists." - relationshipName: "CA10A1__AWS_WAF_Rule_Groups__r" conditions: [] otherwise: status: "COMPLIANT" currentStateMessage: "Rule group exists." - relationshipName: "CA10__AWS_WAF_Web_ACL_Activated_Rules__r" conditions: [] otherwise: status: "COMPLIANT" currentStateMessage: "Rule exists." - path: /ce/ca/aws/waf/web-acl-without-rules/test-data.json md5Hash: F1A216EB5D9756F336EBF9AEDA483AB6 content: |- [ { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "199", "conditionText": "CA10__AWS_WAF_Rules__r.hasNo(COMPLIANT) && CA10A1__AWS_WAF_Rule_Groups__r.hasNo(COMPLIANT) && CA10__AWS_WAF_Web_ACL_Activated_Rules__r.hasNo(COMPLIANT)", "runtimeError": null }, "context": { "snapshotTime": "2025-10-24T05:35:18Z" }, "CA10__disappearanceTime__c": null, "Id": "test1", "RecordTypeId": "RecordTypeId1", "RecordType": { "Id": "RecordTypeId1" }, "CA10__AWS_WAF_Rules__r": [], "CA10A1__AWS_WAF_Rule_Groups__r": [], "CA10__AWS_WAF_Web_ACL_Activated_Rules__r": [] }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "200", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2025-10-24T05:35:18Z" }, "CA10__disappearanceTime__c": null, "Id": "test2", "RecordTypeId": "RecordTypeId2", "RecordType": { "Id": "RecordTypeId2" }, "CA10__AWS_WAF_Rules__r": [ { "CA10__disappearanceTime__c": null, "CA10__webAcl__c": "test2", "Id": "test2_1", "RecordTypeId": "RecordTypeId2_1", "RecordType": { "Id": "RecordTypeId2_1" } } ], "CA10A1__AWS_WAF_Rule_Groups__r": [], "CA10__AWS_WAF_Web_ACL_Activated_Rules__r": [] } ] script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "199", "conditionText" : "CA10__AWS_WAF_Rules__r.hasNo(COMPLIANT) && CA10A1__AWS_WAF_Rule_Groups__r.hasNo(COMPLIANT) && CA10__AWS_WAF_Web_ACL_Activated_Rules__r.hasNo(COMPLIANT)", "runtimeError" : null } }, { "Id" : "test2", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "200", "conditionText" : "otherwise", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsWafWebAcl__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2025-10-24T05:35:18Z") }, "Id" : "test1", "RecordTypeId" : "RecordTypeId1" }, { "context" : { "snapshotTime" : new Date("2025-10-24T05:35:18Z") }, "Id" : "test2", "RecordTypeId" : "RecordTypeId2" } ]; """; CREATE TEMP FUNCTION mock_RecordType() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2025-10-24T05:35:18Z") }, "Id" : "RecordTypeId1" }, { "context" : { "snapshotTime" : new Date("2025-10-24T05:35:18Z") }, "Id" : "RecordTypeId2" }, { "context" : { "snapshotTime" : new Date("2025-10-24T05:35:18Z") }, "Id" : "RecordTypeId2_1" } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsWafRule__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2025-10-24T05:35:18Z") }, "CA10__webAcl__c" : "test2", "Id" : "test2_1", "RecordTypeId" : "RecordTypeId2_1" } ]; """; CREATE TEMP FUNCTION mock_CA10A1__CaAwsWafRuleGroup__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsWafWebAclActivatedRule__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsWafWebAcl__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, Id STRING, RecordTypeId STRING, RecordType STRUCT< Id STRING >, CA10__AWS_WAF_Rules__r ARRAY, result STRUCT >>, CA10A1__AWS_WAF_Rule_Groups__r ARRAY, result STRUCT >>, CA10__AWS_WAF_Web_ACL_Activated_Rules__r ARRAY, result STRUCT >> >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } var count_CA10__AWS_WAF_Rules__r_COMPLIANT2 = 0; if (obj.CA10__AWS_WAF_Rules__r != null) { for (var i5 = 0; i5 < obj.CA10__AWS_WAF_Rules__r.length; i5++) { if (typeof(obj.CA10__AWS_WAF_Rules__r[i5].status) !== 'undefined') { if (obj.CA10__AWS_WAF_Rules__r[i5].status == 'COMPLIANT') { count_CA10__AWS_WAF_Rules__r_COMPLIANT2 += obj.CA10__AWS_WAF_Rules__r[i5].count; } } else { if (obj.CA10__AWS_WAF_Rules__r[i5].result.status == 'COMPLIANT') { count_CA10__AWS_WAF_Rules__r_COMPLIANT2 += 1; } } } } var count_CA10A1__AWS_WAF_Rule_Groups__r_COMPLIANT3 = 0; if (obj.CA10A1__AWS_WAF_Rule_Groups__r != null) { for (var i6 = 0; i6 < obj.CA10A1__AWS_WAF_Rule_Groups__r.length; i6++) { if (typeof(obj.CA10A1__AWS_WAF_Rule_Groups__r[i6].status) !== 'undefined') { if (obj.CA10A1__AWS_WAF_Rule_Groups__r[i6].status == 'COMPLIANT') { count_CA10A1__AWS_WAF_Rule_Groups__r_COMPLIANT3 += obj.CA10A1__AWS_WAF_Rule_Groups__r[i6].count; } } else { if (obj.CA10A1__AWS_WAF_Rule_Groups__r[i6].result.status == 'COMPLIANT') { count_CA10A1__AWS_WAF_Rule_Groups__r_COMPLIANT3 += 1; } } } } var count_CA10__AWS_WAF_Web_ACL_Activated_Rules__r_COMPLIANT4 = 0; if (obj.CA10__AWS_WAF_Web_ACL_Activated_Rules__r != null) { for (var i7 = 0; i7 < obj.CA10__AWS_WAF_Web_ACL_Activated_Rules__r.length; i7++) { if (typeof(obj.CA10__AWS_WAF_Web_ACL_Activated_Rules__r[i7].status) !== 'undefined') { if (obj.CA10__AWS_WAF_Web_ACL_Activated_Rules__r[i7].status == 'COMPLIANT') { count_CA10__AWS_WAF_Web_ACL_Activated_Rules__r_COMPLIANT4 += obj.CA10__AWS_WAF_Web_ACL_Activated_Rules__r[i7].count; } } else { if (obj.CA10__AWS_WAF_Web_ACL_Activated_Rules__r[i7].result.status == 'COMPLIANT') { count_CA10__AWS_WAF_Web_ACL_Activated_Rules__r_COMPLIANT4 += 1; } } } } // condition[1], conditionIndex:[100..199] references1.push('Related list [CA10__AWS_WAF_Rules__r] ' + (count_CA10__AWS_WAF_Rules__r_COMPLIANT2 == 0 ? 'does not have' : 'has') + ' objects in COMPLIANT status'); references1.push('Related list [CA10A1__AWS_WAF_Rule_Groups__r] ' + (count_CA10A1__AWS_WAF_Rule_Groups__r_COMPLIANT3 == 0 ? 'does not have' : 'has') + ' objects in COMPLIANT status'); references1.push('Related list [CA10__AWS_WAF_Web_ACL_Activated_Rules__r] ' + (count_CA10__AWS_WAF_Web_ACL_Activated_Rules__r_COMPLIANT4 == 0 ? 'does not have' : 'has') + ' objects in COMPLIANT status'); if (count_CA10__AWS_WAF_Rules__r_COMPLIANT2 == 0 && count_CA10A1__AWS_WAF_Rule_Groups__r_COMPLIANT3 == 0 && count_CA10__AWS_WAF_Web_ACL_Activated_Rules__r_COMPLIANT4 == 0) { return {status: 'INCOMPLIANT', conditionIndex: 199, conditionText: "CA10__AWS_WAF_Rules__r.hasNo(COMPLIANT) && CA10A1__AWS_WAF_Rule_Groups__r.hasNo(COMPLIANT) && CA10__AWS_WAF_Web_ACL_Activated_Rules__r.hasNo(COMPLIANT)", currentStateMessage: "The WAF web ACL does not have any rules or rule groups configured.", currentStateReferences: references1.join('\n'), remediation: "Add at least one rule or rule group to the web ACL to provide protection.", runtimeError: null}; } return {status: 'COMPLIANT', conditionIndex: 200, conditionText: "otherwise", currentStateMessage: "The WAF web ACL has at least one rule or rule group configured.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; CREATE TEMP FUNCTION process_CA10__AWS_WAF_Rules__r( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__webAcl__c STRING, Id STRING, RecordTypeId STRING, RecordType STRUCT< Id STRING > >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } return {status: 'COMPLIANT', conditionIndex: 100, conditionText: "otherwise", currentStateMessage: "Rule exists.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; CREATE TEMP FUNCTION process_CA10A1__AWS_WAF_Rule_Groups__r( obj STRUCT< CA10A1__disappearanceTime__c TIMESTAMP, CA10A1__webAcl__c STRING, Id STRING, RecordTypeId STRING, RecordType STRUCT< Id STRING > >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10A1__disappearanceTime__c]: ' + obj.CA10A1__disappearanceTime__c); if (obj.CA10A1__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10A1__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } return {status: 'COMPLIANT', conditionIndex: 100, conditionText: "otherwise", currentStateMessage: "Rule group exists.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; CREATE TEMP FUNCTION process_CA10__AWS_WAF_Web_ACL_Activated_Rules__r( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__webAcl__c STRING, Id STRING, RecordTypeId STRING, RecordType STRUCT< Id STRING > >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } return {status: 'COMPLIANT', conditionIndex: 100, conditionText: "otherwise", currentStateMessage: "Rule exists.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.Id AS Id, sObject.RecordTypeId AS RecordTypeId, STRUCT ( `RecordType`.Id AS Id ) AS RecordType, `CA10__AWS_WAF_Rules__r`.arr AS CA10__AWS_WAF_Rules__r, `CA10A1__AWS_WAF_Rule_Groups__r`.arr AS CA10A1__AWS_WAF_Rule_Groups__r, `CA10__AWS_WAF_Web_ACL_Activated_Rules__r`.arr AS CA10__AWS_WAF_Web_ACL_Activated_Rules__r, process_CA10__CaAwsWafWebAcl__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.Id AS Id, sObject.RecordTypeId AS RecordTypeId, STRUCT ( `RecordType`.Id AS Id ) AS RecordType, `CA10__AWS_WAF_Rules__r`.arr AS CA10__AWS_WAF_Rules__r, `CA10A1__AWS_WAF_Rule_Groups__r`.arr AS CA10A1__AWS_WAF_Rule_Groups__r, `CA10__AWS_WAF_Web_ACL_Activated_Rules__r`.arr AS CA10__AWS_WAF_Web_ACL_Activated_Rules__r ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsWafWebAcl__c()) AS sObject LEFT JOIN UNNEST(mock_RecordType()) AS `RecordType` ON sObject.RecordTypeId = `RecordType`.Id LEFT JOIN ( SELECT sObject.CA10__webAcl__c, ARRAY_AGG( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__webAcl__c AS CA10__webAcl__c, sObject.Id AS Id, sObject.RecordTypeId AS RecordTypeId, STRUCT ( `RecordType`.Id AS Id ) AS RecordType, process_CA10__AWS_WAF_Rules__r( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__webAcl__c AS CA10__webAcl__c, sObject.Id AS Id, sObject.RecordTypeId AS RecordTypeId, STRUCT ( `RecordType`.Id AS Id ) AS RecordType ), sObject.context.snapshotTime ) as result ) ) AS arr FROM UNNEST(mock_CA10__CaAwsWafRule__c()) AS sObject LEFT JOIN UNNEST(mock_RecordType()) AS `RecordType` ON sObject.RecordTypeId = `RecordType`.Id GROUP BY sObject.CA10__webAcl__c ) AS `CA10__AWS_WAF_Rules__r` ON sObject.Id = `CA10__AWS_WAF_Rules__r`.CA10__webAcl__c LEFT JOIN ( SELECT sObject.CA10A1__webAcl__c, ARRAY_AGG( STRUCT( sObject.CA10A1__disappearanceTime__c AS CA10A1__disappearanceTime__c, sObject.CA10A1__webAcl__c AS CA10A1__webAcl__c, sObject.Id AS Id, sObject.RecordTypeId AS RecordTypeId, STRUCT ( `RecordType`.Id AS Id ) AS RecordType, process_CA10A1__AWS_WAF_Rule_Groups__r( STRUCT( sObject.CA10A1__disappearanceTime__c AS CA10A1__disappearanceTime__c, sObject.CA10A1__webAcl__c AS CA10A1__webAcl__c, sObject.Id AS Id, sObject.RecordTypeId AS RecordTypeId, STRUCT ( `RecordType`.Id AS Id ) AS RecordType ), sObject.context.snapshotTime ) as result ) ) AS arr FROM UNNEST(mock_CA10A1__CaAwsWafRuleGroup__c()) AS sObject LEFT JOIN UNNEST(mock_RecordType()) AS `RecordType` ON sObject.RecordTypeId = `RecordType`.Id GROUP BY sObject.CA10A1__webAcl__c ) AS `CA10A1__AWS_WAF_Rule_Groups__r` ON sObject.Id = `CA10A1__AWS_WAF_Rule_Groups__r`.CA10A1__webAcl__c LEFT JOIN ( SELECT sObject.CA10__webAcl__c, ARRAY_AGG( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__webAcl__c AS CA10__webAcl__c, sObject.Id AS Id, sObject.RecordTypeId AS RecordTypeId, STRUCT ( `RecordType`.Id AS Id ) AS RecordType, process_CA10__AWS_WAF_Web_ACL_Activated_Rules__r( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__webAcl__c AS CA10__webAcl__c, sObject.Id AS Id, sObject.RecordTypeId AS RecordTypeId, STRUCT ( `RecordType`.Id AS Id ) AS RecordType ), sObject.context.snapshotTime ) as result ) ) AS arr FROM UNNEST(mock_CA10__CaAwsWafWebAclActivatedRule__c()) AS sObject LEFT JOIN UNNEST(mock_RecordType()) AS `RecordType` ON sObject.RecordTypeId = `RecordType`.Id GROUP BY sObject.CA10__webAcl__c ) AS `CA10__AWS_WAF_Web_ACL_Activated_Rules__r` ON sObject.Id = `CA10__AWS_WAF_Web_ACL_Activated_Rules__r`.CA10__webAcl__c ) sObject ON sObject.Id = expectedResult.Id;