Skip to content

bug(<cloudformation>): false positive alb is not integrated with waf is reported on aws::wafv2::webaclassociation #7405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
funkdoodle opened this issue Mar 18, 2025 · 0 comments
Open

bug(<cloudformation>): false positive alb is not integrated with waf is reported on aws::wafv2::webaclassociation #7405

funkdoodle opened this issue Mar 18, 2025 · 0 comments
Labels
aws PR related with AWS Cloud bug Something isn't working cloudformation CloudFormation query community Community contribution query New query feature

Comments

@funkdoodle
Copy link

Given the following resources, kics will report issue "ALB is Not Integrated with WAF" (query id: 105ba098-1e34-48cd-b0f2-a8a43a51bf9b)

  MyALB:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
       ...

  MyALBWebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !GetAtt MyALB.LoadBalancerArn
      WebACLArn: !Ref WebAclArn

Expected Behavior

"ALB Is Not Integrated With WAF" is not reported when there is a AWS::WAFv2::WebACLAssociation resource attached to the ALB

Actual Behavior

"ALB Is Not Integrated With WAF" is reported because the query only looks for AWS::WAFRegional::WebACLAssociation

Steps to Reproduce the Problem

Scan CloudFormation template:

AWSTemplateFormatVersion: 2010-09-09

Parameters:
  Subnet1:
    Type: String
    AllowedPattern: "^subnet-[0-9a-f]*$"
    Description: ALB Subnet 1
    ConstraintDescription: Must be a valid subnet

  Subnet2:
    Type: String
    AllowedPattern: "^subnet-[0-9a-f]*$"
    Description: ALB Subnet 2
    ConstraintDescription: Must be a valid subnet

  VpcId:
    Type: String
    AllowedPattern: "^vpc-[0-9a-f]*$"
    Description: Subnet 1 and Subnet 2 must exist in this VPC
    ConstraintDescription: Must be a valid VPC Id

  WebAclArn:
    Type: String
    AllowedPattern: "^arn:aws:wafv2:.*/webacl/.*$"
    ConstraintDescription: Must be a valid WebACL ARN
    

Resources:

  MyDummySG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: !Ref VpcId
      GroupDescription: Dummy Security Group
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 8080
          ToPort: 8080
          CidrIp: 0.0.0.0/0

  MyALB:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Scheme: internet-facing
      Subnets:
        - !Ref Subnet1
        - !Ref Subnet2
      SecurityGroups:
        - !Ref MyDummySG

  MyALBWebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !GetAtt MyALB.LoadBalancerArn
      WebACLArn: !Ref WebAclArn

Specifications

(N/A if not applicable)

  • Version:
  • Platform:
  • Subsystem:
@funkdoodle funkdoodle added bug Something isn't working community Community contribution labels Mar 18, 2025
@github-actions github-actions bot added query New query feature cloudformation CloudFormation query aws PR related with AWS Cloud labels Mar 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
aws PR related with AWS Cloud bug Something isn't working cloudformation CloudFormation query community Community contribution query New query feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@funkdoodle