Ensure AWS ALB attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
Description
This policy checks whether an AWS Application Load Balancer (ALB) has a Web Application Firewall (WAF) configured with the necessary rules to mitigate the Log4j vulnerability. The Log4j vulnerability is a critical security risk that can allow attackers to execute arbitrary code on vulnerable systems. To protect against this vulnerability, it's essential to have a WAF configured with rules that detect and prevent malicious traffic. This rule checks for the presence of specific managed rule groups in the WAF configuration, including the Anonymous IP list and Known Bad Inputs rule set.
Code Example
resource "aws_wafv2_web_acl" "example" {
name = "example"
description = "Example WAFv2 WebACL"
scope = "REGIONAL"
rule {
name = "rule-1"
priority = 1
action {
allow {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAnonymousIpList"
vendor_name = "AWS"
}
}
}
rule {
name = "rule-2"
priority = 2
action {
allow {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesKnownBadInputsRuleSet"
vendor_name = "AWS"
}
}
}
}
resource "aws_wafv2_web_acl_association" "example" {
resource_arn = aws_lb.example.arn
web_acl_arn = aws_wafv2_web_acl.example.arn
}Remediation
Attach a WAFv2 WebACL to the ALB with the necessary rules to mitigate the Log4j vulnerability, including the AWSManagedRulesAnonymousIpList and AWSManagedRulesKnownBadInputsRuleSet.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0509 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | aws_alb, aws_lb, aws_wafv2_web_acl |
| Checkov ID | CKV2_AWS_76 |