🛡️ AWS WAF Rule Group has no WAF Rules🟢

• Contextual name: 🛡️ Rule Group has no WAF Rules🟢
• ID: /ce/ca/aws/waf/rule-group-without-rules
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟠🟢
  • 📗 AWS WAF Rule Group
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [WAF.3] AWS WAF Classic Regional rule groups should have at least one rule
• AWS Security Hub: [WAF.7] AWS WAF Classic global rule groups should have at least one rule

Description

Open File

Description

This policy identifies AWS WAF rule groups that contain zero rules. Rule groups are reusable collections of WAF rules that you attach to Web ACLs to standardize request inspection across applications and environments. An empty rule group performs no inspection or filtering and therefore provides no protection.

Rationale

An empty rule group usually indicates an incomplete or abandoned configuration. Retaining unused resources increases configuration drift and can create a false sense of coverage if engineers assume the rule group is active. It also adds operational overhead during reviews and audits.

Audit

This policy flags an AWS WAF Rule Group as INCOMPLIANT if it does not have any associated AWS WAF Rules.

Remediation

Open File

Remediation

Add Rules to the Rule Group

A rule group must contain at least one rule to inspect or filter requests. If the rule group is empty, add rules that define how AWS WAF evaluates requests and applies actions.

Before applying changes to rule groups that are currently in use, validate changes in a staging environment. Then test the updated rules in count mode against production traffic before enforcing actions.

From Console

1. Select the rule group you want to edit. If the rule group is not visible, check the Region setting. For rule groups used with Amazon CloudFront, select the Global (CloudFront) Region.
2. On the rule group page, choose Edit to modify its configuration.
3. Add one or more rules with match conditions such as IP sets, string matches, or rate-based filters, and specify the desired action (Allow, Block, or Count).
4. Save the configuration. The console applies your updates to any Web ACLs using the rule group.
5. If you rename a rule and want the metric name to reflect the change, update the metric name manually in the rule JSON editor. AWS WAF does not automatically synchronize metric names with rule names.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.3] AWS WAF Classic Regional rule groups should have at least one rule			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.7] AWS WAF Classic global rule groups should have at least one rule			1		no data
💼 AWS Well-Architected → 💼 SEC05-BP03 Implement inspection-based protection			3		no data
💼 Cloudaware Framework → 💼 Threat Protection			31		no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	63		no data
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3	1	47		no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	84		no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			37		no data
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)			45		no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			49		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			63		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3		47		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		68		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			180		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	63		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			54		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration	7		46		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	93		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			37		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			37		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			37		no data