Ensure ALBs Have WAF ACLs Attached

Protecting Application Load Balancers with Web ACLs
Internet-facing ALBs need to have WAF ACLs attached. WAF, as part of your security posture, will sit in front of your ALBs and provide a web ACL to block malicious traffic on the load balancer side. To implement this best practice, you must understand which load balancers are attached to the WAF through we ACLs. In this demo, AWS expert Mike Wise will walk through how to identify if your ALBs have ACLs attached. 

  1. From the AWS Management Console, navigate to the EC2 Dashboard, then Load Balancers. This will show you all existing load balancers. 
  2. Next, navigate to the WAF & Shield Dashboard, then Web ACLs. Click into a web ACL to determine if any rules are attached to it. 
  3. Open the Associated AWS Resources tab. Does this list any? If not, then this specific web ACL is not attached to your existing ALBs. If so, then the rules attached to this web ACL are applied to any ALBs that are listed. 

For a visual guide on how to ensure ALBs have ACLs attached, watch the full demo. To learn more associating a web ACL with an AWS resource, read more

Transcription
Hello, and welcome to today’s demo! Today we are going to talk about Internet-facing Application Load Balancers and WAF ACLs. WAF stands for “Web Application Firewall” and, as part of your security posture, it will sit in front of your Application Load Balancer and provide a web ACL to block malicious traffic on the load balancer side. An important thing about this: if you are using Amazon WAF, you must understand which load balancers are attached to the WAF through a specific WAF rule. What we’re going to do today is walk through how you can identify if your load balancer is attached to a specific WAF rule and which one it is. 

The first thing we’re going to do is identify where our load balancers are, then after that we’re going to go into the WAF rules to see which ones have ALBs assigned to them and which do not. Let’s go identify where our load balancers are. We’re going to go into “EC2” then “Load Balancers” and this will give an inventory of all the load balancers within your environment in that Region. After we’ve identified what load balancers we have, we can go look at the WAF rules to identify which WAF rules are applied to which load balancer. Let’s go look at the WAF by doing a search and clicking on “WAF.” Now we’re going to go to “Web ACLs.” An important thing to note is we have two web ACLs here and there’s a difference between the two that I’m going to go into here. 

Let’s go to the first one and take a look at it. We click on the web ACL and go to “Associated AWS Resources.” As you can see here, there are no associated AWS resources. This means that this specific web ACL is not attached to any of the ALBs that we saw on that other screen. Now, let’s go look at the other web ACL. We can see under the name that we have a load balancer attached to that web ACL. That means that any rules are attached to this specific web ACLs are being applied to that load balancer. It’s really important that you’re auditing your web ACL rules to make sure you know what web ACLs are being applied and which part of the WAF is protecting your ALBs. That ends today’s demo and thank you for joining!

Related Videos