WAF WebACL Misconfigured
waf-webacl-misconfigured
What this rule checks
Detects WAFv2 WebACLs with no rules, default Allow action, or CloudWatch metrics disabled.
How to fix it
- 1Add WAF rules covering the OWASP Top 10 baseline
- 2Set DefaultAction to Block for defence-in-depth
- 3Enable CloudWatchMetricsEnabled in VisibilityConfig
import * as wafv2 from 'aws-cdk-lib/aws-wafv2';
// Default action Allow, no rules, metrics disabled.
new wafv2.CfnWebACL(this, 'Acl', {
scope: 'REGIONAL',
defaultAction: { allow: {} },
visibilityConfig: {
cloudWatchMetricsEnabled: false,
metricName: 'appAcl',
sampledRequestsEnabled: false,
},
});import * as wafv2 from 'aws-cdk-lib/aws-wafv2';
// Default Block, at least one rule, metrics + sampled requests enabled.
new wafv2.CfnWebACL(this, 'Acl', {
scope: 'REGIONAL',
defaultAction: { block: {} },
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: 'appAcl',
sampledRequestsEnabled: true,
},
rules: [
{
name: 'AWSCommonRuleSet',
priority: 1,
statement: {
managedRuleGroupStatement: {
vendorName: 'AWS',
name: 'AWSManagedRulesCommonRuleSet',
},
},
overrideAction: { none: {} },
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: 'commonRuleSet',
sampledRequestsEnabled: true,
},
},
],
});CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.
Affected resource types
AWS::WAFv2::WebACLIntentional? Suppress this finding
Sometimes a flag is deliberate โ a genuinely public endpoint, say. You can dismiss waf-webacl-misconfigured and the reason is kept in the report, not silently hidden.
In .cdk-insights.json:
{
"ignoreRules": [
{ "id": "waf-webacl-misconfigured", "reason": "Why this is intentional" }
]
}Or inline in your CDK code:
Validations.of(scope).acknowledge({
id: 'cdk-insights::waf-webacl-misconfigured',
reason: 'Why this is intentional',
});Use the rule ID waf-webacl-misconfigured shown above โ not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs โ
Catch this in your stack
$ npx cdk-insights scanCDK Insights runs this and 118+ other rules locally against your synthesised CDK app โ free, no account, your code never leaves your machine.