Ensure AWS AppSync attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
Description
This policy checks if an AWS AppSync GraphQL API has a WAFv2 WebACL attached and configured with the necessary rules to mitigate the Log4j vulnerability. The Log4j vulnerability is a critical security risk that can lead to remote code execution and other malicious activities. It is essential to ensure that the WAFv2 WebACL is properly configured to protect against this vulnerability. The rule checks for the presence of the 'AWSManagedRulesAnonymousIpList' and 'AWSManagedRulesKnownBadInputsRuleSet' managed rule groups in the WAFv2 WebACL.
Code Example
terraform
resource "aws_appsync_graphql_api" "example" {
name = "example"
authentication {
type = "API_KEY"
}
}
resource "aws_wafv2_web_acl" "example" {
name = "example"
description = "example"
scope = "REGIONAL"
rule {
name = "rule-1"
priority = 1
action {
allow {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAnonymousIpList"
vendor_name = "AWS"
}
}
}
rule {
name = "rule-2"
priority = 2
action {
allow {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesKnownBadInputsRuleSet"
vendor_name = "AWS"
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "example"
sampled_requests_enabled = false
}
}
resource "aws_wafv2_web_acl_association" "example" {
resource_arn = aws_appsync_graphql_api.example.arn
web_acl_arn = aws_wafv2_web_acl.example.arn
}Remediation
Attach a WAFv2 WebACL to the AWS AppSync GraphQL API and configure it with the 'AWSManagedRulesAnonymousIpList' and 'AWSManagedRulesKnownBadInputsRuleSet' managed rule groups.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0511 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | aws_appsync_graphql_api, aws_wafv2_web_acl |
| Checkov ID | CKV2_AWS_78 |