Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 7.10 Ensure Azure Web Application Firewall (WAF) is enabled on Azure Application Gateway

Description

Azure Web Application Firewall helps protect applications from common exploits and attacks by inspecting and filtering incoming traffic.

Using Azure Web Application Firewall with Azure Application Gateway reduces exposure to external threats by mitigating attacks on public facing applications.

Remediation

Note: Basic tier application gateways cannot be upgraded to the WAF V2 tier. Create a new WAF V2 tier application gateway to replace a Basic tier application gateway.

Remediate from Azure Portal

To remediate a Standard V2 tier application gateway:

  1. Go to Application gateways.
  2. Click Add filter.
  3. From the Filter drop-down menu, select SKU size.
  4. Check the box next to Standard_v2 only.
  5. Click Apply.
  6. Click the name of an application gateway.
  7. Under Settings, click Web application firewall.
  8. Under Configure, next to Tier, click WAF V2.
  9. Select an existing or create a new WAF policy.
  10. Click Save.
  11. Repeat steps 1-10 for each Standard V2 tier application gateway requiring remediation.

Default Value

Azure Web Application Firewall is enabled by default for the WAF V2 tier of Azure Application Gateway. It is not available in the Basic tier. Application gateways deployed using the Standard V2 tier can be upgraded to the WAF V2 tier to enable Azure Web Application Firewall.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_7_10

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_7_10 --share

SQL

This control uses a named query:

select
  ag.id resource,
  case
    when web_application_firewall_configuration is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when web_application_firewall_configuration is not null then ag.name || ' WAF enabled.'
    else ag.name || ' WAF disabled.'
  end as reason
  
  , ag.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_application_gateway as ag
  left join azure_subscription as sub on sub.subscription_id = ag.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 7.10
cis_level = 2
cis_section_id = 7
cis_type = automated
cis_version = v5.0.0
plugin = azure
service = Azure/Network