Skip to content

bug(<cloudformation>): false positive alb is not integrated with waf is reported on aws::wafv2::webaclassociation #7405

Open
#8004
Open
bug(<cloudformation>): false positive alb is not integrated with waf is reported on aws::wafv2::webaclassociation#7405
#8004
Labels
awsPR related with AWS CloudbugSomething isn't workingcloudformationCloudFormation querycommunityCommunity contributionqueryNew query feature
@funkdoodle

Description

@funkdoodle
funkdoodle
opened on Mar 18, 2025

Given the following resources, kics will report issue "ALB is Not Integrated with WAF" (query id: 105ba098-1e34-48cd-b0f2-a8a43a51bf9b)

  MyALB:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
       ...

  MyALBWebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !GetAtt MyALB.LoadBalancerArn
      WebACLArn: !Ref WebAclArn

Expected Behavior

"ALB Is Not Integrated With WAF" is not reported when there is a AWS::WAFv2::WebACLAssociation resource attached to the ALB

Actual Behavior

"ALB Is Not Integrated With WAF" is reported because the query only looks for AWS::WAFRegional::WebACLAssociation

Steps to Reproduce the Problem

Scan CloudFormation template:

AWSTemplateFormatVersion: 2010-09-09

Parameters:
  Subnet1:
    Type: String
    AllowedPattern: "^subnet-[0-9a-f]*$"
    Description: ALB Subnet 1
    ConstraintDescription: Must be a valid subnet

  Subnet2:
    Type: String
    AllowedPattern: "^subnet-[0-9a-f]*$"
    Description: ALB Subnet 2
    ConstraintDescription: Must be a valid subnet

  VpcId:
    Type: String
    AllowedPattern: "^vpc-[0-9a-f]*$"
    Description: Subnet 1 and Subnet 2 must exist in this VPC
    ConstraintDescription: Must be a valid VPC Id

  WebAclArn:
    Type: String
    AllowedPattern: "^arn:aws:wafv2:.*/webacl/.*$"
    ConstraintDescription: Must be a valid WebACL ARN
    

Resources:

  MyDummySG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: !Ref VpcId
      GroupDescription: Dummy Security Group
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 8080
          ToPort: 8080
          CidrIp: 0.0.0.0/0

  MyALB:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Scheme: internet-facing
      Subnets:
        - !Ref Subnet1
        - !Ref Subnet2
      SecurityGroups:
        - !Ref MyDummySG

  MyALBWebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !GetAtt MyALB.LoadBalancerArn
      WebACLArn: !Ref WebAclArn

Specifications

(N/A if not applicable)

  • Version:
  • Platform:
  • Subsystem:

Metadata

Metadata

Assignees

No one assigned

    Labels

    awsPR related with AWS CloudbugSomething isn't workingcloudformationCloudFormation querycommunityCommunity contributionqueryNew query feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions