Ensure AWS API Gateway Rest API attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
Description
This policy checks whether an AWS API Gateway Rest API has a WAFv2 WebACL attached and configured with the necessary rules to mitigate Log4j vulnerabilities. The Log4j vulnerability is a critical security risk that can allow attackers to execute arbitrary code on vulnerable systems. It is essential to ensure that the WAFv2 WebACL is properly configured to detect and prevent such attacks. The rule checks for the presence of the 'AWSManagedRulesAnonymousIpList' and 'AWSManagedRulesKnownBadInputsRuleSet' managed rule groups in the WAFv2 WebACL.
Code Example
terraform
resource "aws_wafv2_web_acl" "example" {
name = "example"
description = "Example WAFv2 WebACL"
scope = "REGIONAL"
rule {
name = "rule-1"
priority = 1
action {
allow {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAnonymousIpList"
vendor_name = "AWS"
}
}
}
rule {
name = "rule-2"
priority = 2
action {
allow {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesKnownBadInputsRuleSet"
vendor_name = "AWS"
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "example"
sampled_requests_enabled = false
}
}
resource "aws_api_gateway_rest_api" "example" {
name = "example"
description = "Example API Gateway Rest API"
}
resource "aws_api_gateway_stage" "example" {
rest_api_id = aws_api_gateway_rest_api.example.id
stage_name = "example"
}
resource "aws_wafv2_web_acl_association" "example" {
resource_arn = aws_api_gateway_stage.example.arn
web_acl_arn = aws_wafv2_web_acl.example.arn
}Remediation
Attach a WAFv2 WebACL to the API Gateway Rest API and configure it with the 'AWSManagedRulesAnonymousIpList' and 'AWSManagedRulesKnownBadInputsRuleSet' managed rule groups.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0510 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | aws_api_gateway_stage, aws_apigatewayv2_api, aws_wafv2_web_acl |
| Checkov ID | CKV2_AWS_77 |