Control: 7 AWS WAF Classic global rule groups should have at least one rule
Description
This control checks whether an AWS WAF global rule group has at least one rule. The control fails if no rules are present within a rule group.
A WAF global rule group can contain multiple rules. The rule's conditions allow for traffic inspection and take a defined action (allow, block, or count). Without any rules, the traffic passes without inspection. A WAF global rule group with no rules, but with a name or tag suggesting allow, block, or count, could lead to the wrong assumption that one of those actions is occurring.
Remediation
To remediate this issue, update your WAF rule group to add atleast one rule.
To encrypt an unencrypted SNS topic
- Open the Amazon WAF console.
- In the navigation pane, choose
Rule groups
. - Choose the name of the rule group to update.
- Choose
Edit
. - If you have already created the rules that you want to add to the rule group, choose Use existing rules for this rule group . If you want to create new rules to add to the rule group, choose Create rules and conditions for this rule group.
- Choose Next.
- If you chose to create rules, follow the steps to create them at Creating a rule and adding conditions. When you've created all the rules you need, go to the next step.
- To add a rule to the rule group, select a rule then choose Add rule. Choose whether to allow, block, or count requests that match the rule's conditions. For more information on the choices, see How AWS WAF Classic works.
- When you're finished adding conditions, choose Save.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_waf_7
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_waf_7 --share
SQL
This control uses a named query:
waf_rule_group_rule_attached