🛡️ AWS WAF Rule Group has no WAF Rules🟢

• Contextual name: 🛡️ Rule Group has no WAF Rules🟢
• ID: /ce/ca/aws/waf/rule-group-without-rules
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟠🟢
  • 📗 AWS WAF Rule Group
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [WAF.3] AWS WAF Classic Regional rule groups should have at least one rule
• AWS Security Hub: [WAF.7] AWS WAF Classic global rule groups should have at least one rule

Description

Open File

Description

This policy identifies AWS WAF Rule Groups that do not contain any rules. A rule group is a reusable collection of rules that can be added to a Web ACL to help manage and apply consistent web request filtering across applications. A rule group without any rules does not perform any inspection or filtering and therefore provides no protection.

Rationale

An empty rule group typically indicates an incomplete configuration or a resource that was created but never fully implemented. Keeping such unused resources can create configuration drift, increase management complexity, and lead to a false sense of security if administrators assume the rule group is active and providing protection when it is not.

Audit

This policy flags an AWS WAF Rule Group as INCOMPLIANT if it does not have any associated AWS WAF Rules.

Remediation

Open File

Remediation

Add Rules to the Rule Group

A rule group must contain at least one rule to filter or inspect web requests. If a rule group is empty, add rules that define how AWS WAF should evaluate and act on incoming requests.

Before applying changes to rule groups that are currently in use, test and tune the configuration in a staging or testing environment to evaluate its impact. Then, test the updated rules in count mode with production traffic before enabling them to enforce actions.

From Console

1. Select the rule group you want to edit.

   • If the rule group is not visible, check the Region setting.
   • For rule groups used with Amazon CloudFront, select the Global (CloudFront) Region.

2. On the rule group page, choose Edit to modify its configuration.

3. Add one or more rules defining match conditions such as IP sets, string matches, or rate-based filters, and specify the desired action (Allow, Block, or Count).

4. Save the configuration. The console automatically applies your updates to any web ACLs using the rule group.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.3] AWS WAF Classic Regional rule groups should have at least one rule			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.7] AWS WAF Classic global rule groups should have at least one rule			1		no data
💼 AWS Well-Architected → 💼 SEC05-BP03 Implement inspection-based protection			3		no data
💼 Cloudaware Framework → 💼 Threat Protection			31		no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	48		no data
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3	1	30		no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	50		no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			24		no data
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)			29		no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			35		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			48		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3		30		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		44		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			145		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			125		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			95		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	48		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			25		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration	7		29		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	52		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			24		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			25		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			24		no data