🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 2 AWS WAF Classic Regional rules should have at least one condition

Description

This control checks whether an AWS WAF Regional rule has at least one condition. The control fails if no conditions are present within a rule.

A WAF Regional rule can contain multiple conditions. The rule's conditions allow for traffic inspection and take a defined action (allow, block, or count). Without any conditions, the traffic passes without inspection. A WAF Regional rule with no conditions, but with a name or tag suggesting allow, block, or count, could lead to the wrong assumption that one of those actions is occurring.

Remediation

To add a condition to an empty rule, see Adding and removing conditions in a rule in the AWS WAF Developer Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_waf_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_waf_2 --share

SQL

This control uses a named query:

select
  rule_id as resource,
  case
    when predicates is null or jsonb_array_length(predicates) = 0 then 'alarm'
    else 'ok'
  end as status,
  case
    when predicates is null or jsonb_array_length(predicates) = 0 then title || ' has no attached conditions.'
    else title || ' has ' || jsonb_array_length(predicates) || ' condition(s) attached.'
  end as reason
  , region, account_id
from
  aws_wafregional_rule;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_network_configuration
foundational_security_item_id = waf_2
plugin = aws
service = AWS/WAF