WAF web ACLs should have at least one rule or rule group

Description

This control verifies that an AWS WAFV2 web access control list (web ACL) includes at least one rule or rule group. The control is considered non-compliant if a web ACL lacks any rules or rule groups.

A web ACL provides detailed control over all HTTP(S) web requests to your protected resource. It should include a set of rules and rule groups that examine and manage web requests. If a web ACL is empty, web traffic might pass through without being inspected or managed by AWS WAF, depending on the default action.

Please note that AWS WAF Classic ACLs are not evaluated by this control.

Remediation

For guidance on adding rules or rule groups to WAFV2 web ACLs, please refer to the Editing a web ACL section in the AWS WAF User Guide.