AWS WAFv2 Web ACL has at least one rule or rule group attached
wafv2_webacl_with_rules
AWS WAFv2 web ACLs are evaluated for the presence of at least one configured rule or rule group that defines how HTTP(S) requests are inspected and acted upon.
Risk
Without rules, traffic is governed only by the web ACL DefaultAction, often allowing requests without inspection. This increases risks to confidentiality (data exfiltration via injection), integrity (XSS/parameter tampering), and availability (layer-7 DDoS, bot abuse).
prowler aws --checks wafv2_webacl_with_rules
Recommendation
Populate each web ACL with targeted rules or managed rule groups to enforce least-privilege web access: cover common exploits (SQLi/XSS), IP reputation, and rate limits, scoped to your apps. Use a conservative DefaultAction, monitor metrics/logs, and continually tune-supporting defense in depth and zero trust.
Remediation
- In the AWS Console, go to AWS WAF
- Open Web ACLs and select the failing Web ACL
- Go to the Rules tab and click Add rules
- Choose Add managed rule group, select AWS > AWSManagedRulesCommonRuleSet
- Set action to Count (to avoid blocking), then Add rule and Save
- Verify the Web ACL now shows at least one rule
Source Code
Resource Type
AwsWafv2WebAcl