🛡️ AWS WAF Web ACL has no WAF Rules or WAF Rule Groups🟢

• Contextual name: 🛡️ Web ACL has no WAF Rules or WAF Rule Groups🟢
• ID: /ce/ca/aws/waf/web-acl-without-rules
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟠🟢
  • 📗 AWS WAF Web ACL
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group
• AWS Security Hub: [WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group
• AWS Security Hub: [WAF.10] AWS WAF web ACLs should have at least one rule or rule group

Description

Open File

Description

This policy identifies AWS WAF Web ACLs that do not have any associated rules or rule groups. Such Web ACLs are not actively enforcing security controls and may leave web applications unprotected.

Rationale

Web ACLs are a key part of AWS WAF security. They examine incoming web requests and take actions based on defined rules, such as allowing, blocking, or counting requests. When a Web ACL has no rules or rule groups, it does not inspect any traffic. As a result, the web applications associated with that Web ACL remain unprotected.

Ensuring that every Web ACL has at least one active rule or rule group helps maintain consistent security coverage and prevents gaps in protection.

Audit

This policy flags an AWS WAF Web ACL as INCOMPLIANT if it does not have any associated AWS WAF Rules, AWS WAF Rule Groups, or AWS WAF Web ACL Activated Rule

Remediation

Open File

Remediation

Add Rules to the Web ACL

A Web ACL must have at least one rule or rule group to provide effective protection. If a Web ACL currently has no rules, you need to add rules to enforce security policies and filter web traffic.

Testing and deployment: Before making changes in production, test them in a staging environment to understand their impact. Once you are confident, use count mode with production traffic to monitor the effect of the rules before enabling full enforcement. This approach helps prevent unintended disruptions to live traffic.

Note: Using more than 1,500 WCUs in a Web ACL incurs costs beyond the basic Web ACL price.

From Console

1. In the navigation pane, choose Resources & protection packs (web ACLs).

2. Select the Web ACL you want to edit. The main Web ACL card will become editable, and a side pane will open with additional details you can modify.

3. Add or remove rules as needed, or make other configuration changes. While updating a Web ACL, AWS WAF continues to provide coverage to the resources associated with it.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.10] AWS WAF web ACLs should have at least one rule or rule group			1		no data
💼 AWS Well-Architected → 💼 SEC05-BP03 Implement inspection-based protection			3		no data
💼 Cloudaware Framework → 💼 Threat Protection			31		no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	48		no data
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3	1	30		no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	50		no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			24		no data
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)			29		no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			35		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			48		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3		30		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		44		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			145		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			125		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			95		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	48		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			25		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration	7		29		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	52		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			24		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			25		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			24		no data