Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(waf): add new check waf_global_webacl_with_rules #5469

Merged
merged 5 commits into from
Oct 22, 2024
Merged

feat(waf): add new check waf_global_webacl_with_rules #5469

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ab1e453
feat: pulled final service implementation
HugoPBrito Oct 18, 2024
3416941
feat: added checl logic and metadata
HugoPBrito Oct 18, 2024
e0ea458
feat: added testing
HugoPBrito Oct 18, 2024
c5c5999
Merge branch 'master' into PRWLR-4461-ensure-aws-waf-classic-global-w…
sergargar Oct 22, 2024
47a1452
fix tests
sergargar Oct 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Empty file added prowler/providers/aws/services/waf/waf_global_webacl_with_rules/__init__.py
View file
Open in desktop
Empty file.
32 changes: 32 additions & 0 deletions .../aws/services/waf/waf_global_webacl_with_rules/waf_global_webacl_with_rules.metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{
"Provider": "aws",
"CheckID": "waf_global_webacl_with_rules",
"CheckTitle": "Check if AWS WAF Classic Global WebACL has at least one rule or rule group.",
"CheckType": [
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
],
"ServiceName": "waf",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:waf:account-id:webacl/web-acl-id",
"Severity": "medium",
"ResourceType": "AwsWafWebAcl",
"Description": "Ensure that every AWS WAF Classic Global WebACL contains at least one rule or rule group.",
"Risk": "An empty AWS WAF Classic Global web ACL allows all web traffic to bypass inspection, potentially exposing resources to unauthorized access and attacks.",
"RelatedUrl": "https://docs.aws.amazon.com/waf/latest/developerguide/waf-rules.html",
"Remediation": {
"Code": {
"CLI": "aws waf update-web-acl --web-acl-id <your-web-acl-id> --change-token <your-change-token> --updates '[{\"Action\":\"INSERT\",\"ActivatedRule\":{\"Priority\":1,\"RuleId\":\"<your-rule-id>\",\"Action\":{\"Type\":\"BLOCK\"}}}]' --default-action Type=ALLOW --region <your-region>",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/waf-controls.html#waf-8",
"Terraform": ""
},
"Recommendation": {
"Text": "Ensure that every AWS WAF Classic Global web ACL includes at least one rule or rule group to monitor and control web traffic effectively.",
"Url": "https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-editing.html"
}
},
"Categories": [],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""
}
23 changes: 23 additions & 0 deletions ...r/providers/aws/services/waf/waf_global_webacl_with_rules/waf_global_webacl_with_rules.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.waf.waf_client import waf_client


class waf_global_webacl_with_rules(Check):
def execute(self):
findings = []
for acl in waf_client.web_acls.values():
report = Check_Report_AWS(self.metadata())
report.region = acl.region
report.resource_id = acl.id
report.resource_arn = acl.arn
report.resource_tags = acl.tags
report.status = "FAIL"
report.status_extended = f"AWS WAF Global Web ACL {acl.name} does not have any rules or rule groups."

if acl.rules or acl.rule_groups:
report.status = "PASS"
report.status_extended = f"AWS WAF Global Web ACL {acl.name} has at least one rule or rule group."

findings.append(report)

return findings
Loading