Application Load Balancer has a WAF Web ACL attached
elbv2_waf_acl_attached
Application Load Balancers are evaluated for an associated AWS WAF web ACL that governs HTTP(S) requests. The evaluation detects ALBs missing a web ACL and recognizes associations from WAFv2 or regional WAF Classic.
Risk
Absent a WAF web ACL, ALBs accept unfiltered Layer 7 traffic, enabling:
- Injection (SQLi/XSS) harming confidentiality and integrity
- Credential stuffing and bot abuse
- Resource exhaustion degrading availability
prowler aws --checks elbv2_waf_acl_attached
Recommendation
Associate a WAF web ACL with each ALB as defense in depth. Use managed and custom rules, IP reputation lists, and rate limiting to block attacks. Continuously tune policies and monitor logs. Apply least privilege by scoping rules to required paths, methods, and sources.
Remediation
aws wafv2 associate-web-acl --web-acl-arn <WEB_ACL_ARN> --resource-arn <ALB_ARN>
- In the AWS Console, open WAF & Shield
- Go to Web ACLs and select your regional Web ACL
- Click Associated AWS resources > Associate resource
- Select the target Application Load Balancer and click Associate
Source Code
Resource Type
AwsElbv2LoadBalancer