ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2025-12-18 21:07:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(aws): enhance metadata for wafv2 service (#9481)

Browse Source 
Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
This commit is contained in:
Rubén De la Torre Vico
2025-12-17 18:51:16 +01:00
committed by GitHub
parent 15eac061fc
commit d15dd53708
4 changed files with 61 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
prowler/CHANGELOG.md
View File

@@ -20,6 +20,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
- Update AWS SNS service metadata to new format [(#9428)](https://github.com/prowler-cloud/prowler/pull/9428)
- Update AWS Trusted Advisor service metadata to new format [(#9435)](https://github.com/prowler-cloud/prowler/pull/9435)
- Update AWS WAF service metadata to new format [(#9480)](https://github.com/prowler-cloud/prowler/pull/9480)
- Update AWS WAF v2 service metadata to new format [(#9481)](https://github.com/prowler-cloud/prowler/pull/9481)
---

31
prowler/providers/aws/services/wafv2/wafv2_webacl_logging_enabled/wafv2_webacl_logging_enabled.metadata.json
View File

@@ -1,28 +1,35 @@
{
"Provider": "aws",
"CheckID": "wafv2_webacl_logging_enabled",
"CheckTitle": "Check if AWS WAFv2 WebACL logging is enabled",
"CheckTitle": "AWS WAFv2 Web ACL has logging enabled",
"CheckType": [
"Logging and Monitoring"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "wafv2",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:wafv2:region:account-id:webacl/webacl-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsWafv2WebAcl",
"Description": "Check if AWS WAFv2 logging is enabled",
"Risk": "Enabling AWS WAFv2 logging helps monitor and analyze traffic patterns for enhanced security.",
"RelatedUrl": "https://docs.aws.amazon.com/waf/latest/developerguide/logging.html",
"Description": "**AWS WAFv2 Web ACLs** with **logging** capture details of inspected requests and rule evaluations. The assessment determines for each Web ACL whether logging is configured to record traffic analyzed by that ACL.",
"Risk": "Without **WAF logging**, visibility into allowed/blocked requests is lost, degrading detection and response. **SQLi**, **credential stuffing**, and **bot/DDoS probes** can go unnoticed, risking data exposure (C), undetected rule misuse (I), and service instability from unseen abuse (A).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/WAF/enable-web-acls-logging.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-11",
"https://docs.aws.amazon.com/cli/latest/reference/wafv2/put-logging-configuration.html",
"https://docs.aws.amazon.com/waf/latest/developerguide/logging.html"
],
"Remediation": {
"Code": {
"CLI": "aws wafv2 update-web-acl-logging-configuration --scope REGIONAL --web-acl-arn arn:partition:wafv2:region:account-id:webacl/webacl-id --logging-configuration '{\"LogDestinationConfigs\": [\"arn:partition:logs:region:account-id:log-group:log-group-name\"]}'",
"NativeIaC": "https://docs.prowler.com/checks/aws/logging-policies/bc_aws_logging_33#terraform",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-11",
"Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/WAF/enable-web-acls-logging.html"
"CLI": "aws wafv2 put-logging-configuration --logging-configuration ResourceArn=<WEB_ACL_ARN>,LogDestinationConfigs=<DESTINATION_ARN>",
"NativeIaC": "```yaml\n# CloudFormation: Enable logging for a WAFv2 Web ACL\nResources:\n <example_resource_name>:\n Type: AWS::WAFv2::LoggingConfiguration\n Properties:\n ResourceArn: arn:aws:wafv2:<region>:<account-id>:regional/webacl/<example_resource_name>/<example_resource_id> # CRITICAL: target Web ACL to log\n LogDestinationConfigs: # CRITICAL: where logs are sent\n - arn:aws:logs:<region>:<account-id>:log-group:aws-waf-logs-<example_resource_name>\n```",
"Other": "1. In the AWS Console, go to AWS WAF & Shield > Web ACLs\n2. Select the target Web ACL\n3. Open the Logging and metrics (or Logging) section and click Enable logging\n4. Choose a log destination (CloudWatch Logs log group, S3 bucket, or Kinesis Data Firehose)\n5. Click Save to enable logging",
"Terraform": "```hcl\n# Enable logging for a WAFv2 Web ACL\nresource \"aws_wafv2_web_acl_logging_configuration\" \"<example_resource_name>\" {\n resource_arn = \"<example_resource_arn>\" # CRITICAL: target Web ACL ARN\n log_destination_configs = [\"<example_destination_arn>\"] # CRITICAL: log destination ARN\n}\n```"
},
"Recommendation": {
"Text": "Enable AWS WAFv2 logging for your Web ACLs to monitor and analyze traffic patterns effectively.",
"Url": "https://docs.aws.amazon.com/waf/latest/developerguide/logging.html"
"Text": "Enable **logging** on all WAFv2 Web ACLs to a centralized destination. Apply **least privilege** for log delivery, **redact sensitive fields**, and filter to retain high-value events. Integrate with monitoring/SIEM for **alerting and correlation**, and review routinely as part of **defense in depth**.",
"Url": "https://hub.prowler.com/check/wafv2_webacl_logging_enabled"
}
},
"Categories": [

31
prowler/providers/aws/services/wafv2/wafv2_webacl_rule_logging_enabled/wafv2_webacl_rule_logging_enabled.metadata.json
View File

@@ -1,28 +1,35 @@
{
"Provider": "aws",
"CheckID": "wafv2_webacl_rule_logging_enabled",
"CheckTitle": "Check if AWS WAFv2 WebACL rule or rule group has Amazon CloudWatch metrics enabled.",
"CheckTitle": "AWS WAFv2 Web ACL has Amazon CloudWatch metrics enabled for all rules and rule groups",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
],
"ServiceName": "wafv2",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:wafv2:region:account-id:webacl/webacl-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsWafv2RuleGroup",
"Description": "This control checks whether an AWS WAF rule or rule group has Amazon CloudWatch metrics enabled. The control fails if the rule or rule group doesn't have CloudWatch metrics enabled.",
"Risk": "Without CloudWatch Metrics enabled on AWS WAF rules or rule groups, it's challenging to monitor traffic flow effectively. This reduces visibility into potential security threats, such as malicious activities or unusual traffic patterns.",
"RelatedUrl": "https://docs.aws.amazon.com/waf/latest/APIReference/API_UpdateRuleGroup.html",
"ResourceType": "AwsWafv2WebAcl",
"Description": "**AWS WAFv2 Web ACLs** are assessed to confirm that every associated **rule** and **rule group** has **CloudWatch metrics** enabled for visibility into rule evaluations and traffic",
"Risk": "Absent **CloudWatch metrics**, WAF telemetry is lost, masking spikes, rule bypasses, and misconfigurations. This delays detection of SQLi/XSS probes and bot floods, risking data confidentiality, request integrity, and application availability.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://support.icompaas.com/support/solutions/articles/62000233644-ensure-aws-wafv2-webacl-rule-or-rule-group-has-amazon-cloudwatch-metrics-enabled",
"https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-12"
],
"Remediation": {
"Code": {
"CLI": "aws wafv2 update-rule-group --id <rule-group-id> --scope <scope> --name <rule-group-name> --cloudwatch-metrics-enabled true",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-12",
"Terraform": ""
"CLI": "",
"NativeIaC": "```yaml\n# CloudFormation: Enable CloudWatch metrics on WAFv2 Web ACL rules\nResources:\n <example_resource_name>:\n Type: AWS::WAFv2::WebACL\n Properties:\n Name: <example_resource_name>\n Scope: REGIONAL\n DefaultAction:\n Allow: {}\n VisibilityConfig:\n SampledRequestsEnabled: true\n CloudWatchMetricsEnabled: true\n MetricName: <metric_name>\n Rules:\n - Name: <example_rule_name>\n Priority: 1\n Statement:\n ManagedRuleGroupStatement:\n VendorName: AWS\n Name: AWSManagedRulesCommonRuleSet\n OverrideAction:\n None: {}\n VisibilityConfig:\n SampledRequestsEnabled: true\n CloudWatchMetricsEnabled: true # Critical: enables CloudWatch metrics for this rule\n MetricName: <rule_metric_name> # Required with CloudWatch metrics\n```",
"Other": "1. In AWS Console, go to AWS WAF & Shield > Web ACLs, select the Web ACL\n2. Open the Rules tab, edit each rule, and enable CloudWatch metrics (Visibility configuration > CloudWatch metrics enabled), then Save\n3. For rule groups: go to AWS WAF & Shield > Rule groups, select the rule group, edit Visibility configuration, enable CloudWatch metrics, then Save",
"Terraform": "```hcl\n# Terraform: Enable CloudWatch metrics on WAFv2 Web ACL rules\nresource \"aws_wafv2_web_acl\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n scope = \"REGIONAL\"\n\n default_action { allow {} }\n\n visibility_config {\n cloudwatch_metrics_enabled = true\n metric_name = \"<metric_name>\"\n sampled_requests_enabled = true\n }\n\n rule {\n name = \"<example_rule_name>\"\n priority = 1\n\n statement {\n managed_rule_group_statement {\n vendor_name = \"AWS\"\n name = \"AWSManagedRulesCommonRuleSet\"\n }\n }\n\n override_action { none {} }\n\n visibility_config {\n cloudwatch_metrics_enabled = true # Critical: enables CloudWatch metrics for this rule\n metric_name = \"<rule_metric_name>\" # Required with CloudWatch metrics\n sampled_requests_enabled = true\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "Ensure that CloudWatch Metrics are enabled for AWS WAF rules and rule groups. This provides detailed insights into traffic, enabling timely identification of security risks.",
"Url": "https://docs.aws.amazon.com/waf/latest/APIReference/API_UpdateWebACL.html"
"Text": "Enable **CloudWatch metrics** for all WAF rules and rule groups (*including managed rule groups*). Use consistent metric names, centralize dashboards and alerts, and review trends to validate rule efficacy. Integrate with a SIEM for **defense in depth** and tune rules based on telemetry.",
"Url": "https://hub.prowler.com/check/wafv2_webacl_rule_logging_enabled"
}
},
"Categories": [

35
prowler/providers/aws/services/wafv2/wafv2_webacl_with_rules/wafv2_webacl_with_rules.metadata.json
View File

@@ -1,31 +1,40 @@
{
"Provider": "aws",
"CheckID": "wafv2_webacl_with_rules",
"CheckTitle": "Check if AWS WAFv2 WebACL has at least one rule or rule group.",
"CheckTitle": "AWS WAFv2 Web ACL has at least one rule or rule group attached",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
],
"ServiceName": "wafv2",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:wafv2:region:account-id:webacl/webacl-id",
"Severity": "medium",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsWafv2WebAcl",
"Description": "Check if AWS WAFv2 WebACL has at least one rule or rule group associated with it.",
"Risk": "An empty AWS WAF web ACL allows all web traffic to pass without inspection or control, exposing resources to potential security threats and attacks.",
"RelatedUrl": "https://docs.aws.amazon.com/waf/latest/APIReference/API_Rule.html",
"Description": "**AWS WAFv2 web ACLs** are evaluated for the presence of at least one configured **rule** or **rule group** that defines how HTTP(S) requests are inspected and acted upon.",
"Risk": "Without rules, traffic is governed only by the web ACL `DefaultAction`, often allowing requests without inspection. This increases risks to **confidentiality** (data exfiltration via injection), **integrity** (XSS/parameter tampering), and **availability** (layer-7 DDoS, bot abuse).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-editing.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-10",
"https://support.icompaas.com/support/solutions/articles/62000233642-ensure-aws-wafv2-webacl-has-at-least-one-rule-or-rule-group"
],
"Remediation": {
"Code": {
"CLI": "aws wafv2 update-web-acl --id <web-acl-id> --scope <scope> --default-action <default-action> --rules <rules>",
"NativeIaC": "https://docs.prowler.com/checks/aws/networking-policies/bc_aws_networking_64/",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-10",
"Terraform": ""
"CLI": "",
"NativeIaC": "```yaml\n# CloudFormation: Add at least one rule to the WAFv2 WebACL\nResources:\n <example_resource_name>:\n Type: AWS::WAFv2::WebACL\n Properties:\n Scope: REGIONAL\n DefaultAction:\n Allow: {}\n VisibilityConfig:\n SampledRequestsEnabled: true\n CloudWatchMetricsEnabled: true\n MetricName: <example_resource_name>\n Rules: # CRITICAL: Adding any rule/rule group here fixes the finding by making the Web ACL non-empty\n - Name: <example_rule_name>\n Priority: 0\n Statement:\n ManagedRuleGroupStatement:\n VendorName: AWS\n Name: AWSManagedRulesCommonRuleSet # Uses an AWS managed rule group\n OverrideAction:\n Count: {} # Non-blocking to minimize impact\n VisibilityConfig:\n SampledRequestsEnabled: true\n CloudWatchMetricsEnabled: true\n MetricName: <example_rule_name>\n```",
"Other": "1. In the AWS Console, go to AWS WAF\n2. Open Web ACLs and select the failing Web ACL\n3. Go to the Rules tab and click Add rules\n4. Choose Add managed rule group, select AWS > AWSManagedRulesCommonRuleSet\n5. Set action to Count (to avoid blocking), then Add rule and Save\n6. Verify the Web ACL now shows at least one rule",
"Terraform": "```hcl\n# Terraform: Ensure the WAFv2 Web ACL has at least one rule\nresource \"aws_wafv2_web_acl\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n scope = \"REGIONAL\"\n\n default_action {\n allow {}\n }\n\n visibility_config {\n cloudwatch_metrics_enabled = true\n metric_name = \"<example_resource_name>\"\n sampled_requests_enabled = true\n }\n\n rule { # CRITICAL: Presence of this rule makes the Web ACL non-empty and passes the check\n name = \"<example_rule_name>\"\n priority = 0\n statement {\n managed_rule_group_statement {\n name = \"AWSManagedRulesCommonRuleSet\"\n vendor_name = \"AWS\" # Minimal managed rule group\n }\n }\n override_action { count {} } # Non-blocking\n visibility_config {\n cloudwatch_metrics_enabled = true\n metric_name = \"<example_rule_name>\"\n sampled_requests_enabled = true\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "Ensure that each AWS WAF web ACL contains at least one rule or rule group to effectively manage and inspect incoming HTTP(S) web requests.",
"Url": "https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-editing.html"
"Text": "Populate each web ACL with targeted rules or managed rule groups to enforce least-privilege web access: cover common exploits (SQLi/XSS), IP reputation, and rate limits, scoped to your apps. Use a conservative `DefaultAction`, monitor metrics/logs, and continually tune-supporting **defense in depth** and **zero trust**.",
"Url": "https://hub.prowler.com/check/wafv2_webacl_with_rules"
}
},
"Categories": [],
"Categories": [
"internet-exposed"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""