Control: A WAFV2 web ACL should have at least one rule or rule group
Description
This control checks whether a WAFV2 web access control list (web ACL) contains at least one WAF rule or WAF rule group. The control fails if a web ACL does not contain any WAF rules or rule groups.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.wafv2_web_acl_rule_attachedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.wafv2_web_acl_rule_attached --shareSQL
This control uses a named query:
with rule_group_count as ( select arn, count(*) as rule_group_count from aws_wafv2_web_acl, jsonb_array_elements(rules) as r where r -> 'Statement' -> 'RuleGroupReferenceStatement' ->> 'ARN' is not null group by arn)select a.arn as resource, case when rules is null or jsonb_array_length(rules) = 0 then 'alarm' else 'ok' end as status, case when rules is null or jsonb_array_length(rules) = 0 then title || ' has no attached rules.' else title || ' has ' || c.rule_group_count || ' rule group(s) and ' || (jsonb_array_length(rules) - c.rule_group_count) || ' rule(s) attached.' end as reason , region, account_idfrom aws_wafv2_web_acl as a left join rule_group_count as c on c.arn = a.arn;