For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-alb-is-not-integrated-with-waf.md. A documentation index is available at /llms.txt.

ALB is not integrated with WAF

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-alb-is-not-integrated-with-waf

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Networking and Firewall

Learn More

Description

Externally accessible Application Load Balancers must be protected by a web application firewall (WAF) to block common web attacks such as SQL injection, cross-site scripting, and HTTP-layer abuse that can lead to data exposure or service disruption. Check AWS::ElasticLoadBalancingV2::LoadBalancer resources where Properties.Scheme is not internal and ensure there is an AWS::WAFRegional::WebACLAssociation that associates a web ACL with the load balancer by setting Properties.ResourceArn to the load balancer ARN. Resources missing a corresponding AWS::WAFRegional::WebACLAssociation where ResourceArn references the load balancer will be flagged.

Secure CloudFormation example using the ALB ARN:

MyLoadBalancer:
  Type: AWS::ElasticLoadBalancingV2::LoadBalancer
  Properties:
    Name: my-alb
    Scheme: internet-facing
    # other ALB properties...

MyWebACLAssociation:
  Type: AWS::WAFRegional::WebACLAssociation
  Properties:
    ResourceArn: !GetAtt MyLoadBalancer.LoadBalancerArn
    WebACLId: !Ref MyWebACL

Compliant Code Examples

AWSTemplateFormatVersion: 2010-09-09
Resources:
    MyLoadBalancer9:
        Type: AWS::ElasticLoadBalancing::LoadBalancer
        Properties:
          AvailabilityZones:
          - "us-east-2a"
          CrossZone: true
          Listeners:
          - InstancePort: '80'
            InstanceProtocol: HTTP
            LoadBalancerPort: '443'
            Protocol: HTTPS
            PolicyNames:
            - My-SSLNegotiation-Policy
            SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
          Scheme: internet-facing
    MyWebACLAssociation:
      Type: "AWS::WAFRegional::WebACLAssociation"
      Properties:
        ResourceArn:
          Ref: MyLoadBalancer9
        WebACLId:
          Ref: MyWebACL

{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "MyLoadBalancer8": {
      "Properties": {
        "Listeners": [
          {
            "PolicyNames": [
              "My-SSLNegotiation-Policy"
            ],
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
            "InstancePort": "80",
            "InstanceProtocol": "HTTP",
            "LoadBalancerPort": "443",
            "Protocol": "HTTPS"
          }
        ],
        "Scheme": "internet-facing",
        "AvailabilityZones": [
          "us-east-2a"
        ],
        "CrossZone": true
      },
      "Type": "AWS::ElasticLoadBalancing::LoadBalancer"
    },
    "MyWebACLAssociation": {
      "Type": "AWS::WAFRegional::WebACLAssociation",
      "Properties": {
        "WebACLId": {
          "Ref": "MyWebACL"
        },
        "ResourceArn": {
          "Ref": "MyLoadBalancer8"
        }
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyLoadBalancer22:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      AvailabilityZones:
        - "us-east-2a"
      CrossZone: true
      Listeners:
        - InstancePort: "80"
          InstanceProtocol: HTTP
          LoadBalancerPort: "443"
          Protocol: HTTPS
          PolicyNames:
            - My-SSLNegotiation-Policy
          SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate
      Scheme: internet-facing

AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyLoadBalancerV2:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: myloadbalancerv2
      Scheme: internet-facing

{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "MyLoadBalancer22222222": {
      "Properties": {
        "Listeners": [
          {
            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate",
            "InstancePort": "80",
            "InstanceProtocol": "HTTP",
            "LoadBalancerPort": "443",
            "Protocol": "HTTPS",
            "PolicyNames": [
              "My-SSLNegotiation-Policy"
            ]
          }
        ],
        "Scheme": "internet-facing",
        "AvailabilityZones": [
          "us-east-2a"
        ],
        "CrossZone": true
      },
      "Type": "AWS::ElasticLoadBalancing::LoadBalancer"
    }
  }
}