steampipe plugin install awssteampipe plugin install aws

Table: aws_waf_rule_group - Query AWS WAF Rule Groups using SQL

The AWS WAF Rule Group is a component of the AWS Web Application Firewall (WAF) service that allows you to bundle rules that identify common patterns of malicious web requests. These rule groups can then be associated with resources to protect them from these identified threats. This facilitates the management and organization of security rules, improving the overall protection of your web applications.

Table Usage Guide

The aws_waf_rule_group table in Steampipe provides you with information about Web Application Firewall (WAF) rule groups within AWS WAF. This table allows you, as a security or DevOps engineer, to query rule group-specific details, including the rule group ID, name, metric name, and associated rules. You can utilize this table to gather insights on rule groups, such as the types of rules within a rule group, the actions for each rule, and more. The schema outlines the various attributes of the WAF rule group for you, including the rule group ID, name, metric name, and associated rules.

Examples

Basic info

Analyze the settings to understand the activated rules of your AWS WAF rule groups. This can help you gain insights into the security measures in place and identify any potential areas for improvement.

select
  name,
  arn,
  rule_group_id,
  metric_name,
  activated_rules
from
  aws_waf_rule_group;

select
  name,
  arn,
  rule_group_id,
  metric_name,
  activated_rules
from
  aws_waf_rule_group;

List rule groups with no associated rules

Discover the segments that have rule groups with no associated rules in AWS WAF. This is useful in identifying potential security gaps, as these rule groups are not actively filtering web traffic.

select
  name,
  arn,
  rule_group_id,
  metric_name,
  activated_rules
from
  aws_waf_rule_group
where
  activated_rules is null
  or jsonb_array_length(activated_rules) = 0;

select
  name,
  arn,
  rule_group_id,
  metric_name,
  activated_rules
from
  aws_waf_rule_group
where
  activated_rules is null
  or json_array_length(activated_rules) = 0;

List details of rules associated with the rule group

Identify the specific rules linked to a particular rule group in AWS WAF. This can be useful in understanding the security actions and types associated with each rule within the group.

select
  name as rule_group_name,
  rule_group_id,
  a ->> 'RuleId' as rule_id,
  a -> 'Action' ->> 'Type' as rule_action_type,
  a ->> 'Type' as rule_type
from
  aws_waf_rule_group,
  jsonb_array_elements(activated_rules) as a;

select
  name as rule_group_name,
  rule_group_id,
  json_extract(a.value, '$.RuleId') as rule_id,
  json_extract(json_extract(a.value, '$.Action'), '$.Type') as rule_action_type,
  json_extract(a.value, '$.Type') as rule_type
from
  aws_waf_rule_group,
  json_each(activated_rules) as a;

Control examples

Schema for aws_waf_rule_group

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
account_id	text	=, !=, ~~, ~~, !~~, !~~	The AWS Account ID in which the resource is located.
activated_rules	jsonb		A list of activated rules associated with the resource.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
arn	text		The Amazon Resource Name (ARN) of the entity.
metric_name	text		A friendly name or description for the metrics for this RuleGroup.
name	text		The name of the rule group.
partition	text		The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
region	text		The AWS Region in which the resource is located.
rule_group_id	text	=	A unique identifier for the rule group.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
tags	jsonb		A map of tags for the resource.
tags_src	jsonb		A list of tags associated with the resource.
title	text		Title of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_waf_rule_group