WAFv2 web ACLs should include the ‘AWSManagedRulesKnownBadInputsRuleSet’ managed rule group

Description

The “Known bad inputs” (AWSManagedRulesKnownBadInputsRuleSet) managed rule group contains rules that block request patterns that are invalid or known to be associated with vulnerabilities, such as Log4j. Please note that the “Log4JRCE” WAFv2 rule (and many others) only inspects the first 8 KB of the request body, so you may additionally want to ensure that the “Core rule set” (AWSManagedRulesCommonRuleSet) is also included, as the “SizeRestrictions_BODY” rule in that managed rule group verifies that the request body size is at most 8 KB.

Remediation Steps

AWS Console

  • Navigate to WAF.

  • In the left navigation pane, click Web ACLs.

  • Select Create web ACL.

  • Enter a name.

  • Enter a description.

  • Enter a CloudWatch metric name.

  • Select the resource type to associate with the web ACL.

    • If you selected a regional resource type, select the region.

  • Optionally, associate a resource with the web ACL.

  • Select Next.

  • Under Rules, select the Add rules dropdown and select Add managed rule groups.

  • Select AWS managed rule groups.

  • Under Free rule groups, find the Known bad inputs entry and select Add to web ACL.

  • Select Add rules.

  • Set the default web ACL action as desired.

  • Select Next.

  • Set the rule priority as desired.

  • Select Next.

  • Set Request sampling options as desired.

  • Select Next.

  • Select Create web ACL.

AWS CLI

  • Create a waf-rule.json file that enables the “Known bad inputs” rule set:

[
    {
        "Name": "AWS-AWSManagedRulesKnownBadInputsRuleSet",
        "Priority": 0,
        "Statement": {
            "ManagedRuleGroupStatement": {
                "VendorName": "AWS",
                "Name": "AWSManagedRulesKnownBadInputsRuleSet"
            }
        },
        "OverrideAction": {
            "None": {}
        },
        "VisibilityConfig": {
            "SampledRequestsEnabled": true,
            "CloudWatchMetricsEnabled": true,
            "MetricName": "AWS-AWSManagedRulesKnownBadInputsRuleSet"
        }
    }
]
  • Create a web ACL with the “known bad inputs” managed rule set:

aws wafv2 create-web-acl --name MyWebACL \
  --scope CLOUDFRONT \
  --default-action Allow={} \
  --rules file://waf-rule.json \
  --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=MyWebAclMetrics

Terraform

  • Ensure that an aws_wafv2_web_acl rule.statement.managed_rule_group_statement block has name set to AWSManagedRulesKnownBadInputsRuleSet and vendor_name set to AWS:

Example Configuration

resource "aws_wafv2_web_acl" "valid1" {
  name        = "valid1"
  scope       = "CLOUDFRONT"

  rule {
    name     = "valid1rule1"
    priority = 1

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesKnownBadInputsRuleSet"
        vendor_name = "AWS"
      }
    }
  }
  # other required fields here
}