Table: aws_wafregional_web_acl - Query AWS WAF Regional WebACL using SQL
The AWS WAF Regional WebACL is a resource within the AWS WAF service that allows you to protect your AWS resources against common web exploits. It provides control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting.
Table Usage Guide
The aws_wafregional_web_acl
table in Steampipe provides you with information about Web Access Control Lists (WebACLs) in AWS WAF Regional. This table allows you, as a security professional, to query WebACL-specific details, including associated rules, default actions, metric names, and associated metadata. You can utilize this table to gather insights on WebACLs, such as their associated rules, default actions, and more. The schema outlines for you the various attributes of the WebACL, including the WebACL ID, ARN, name, metric name, default action, and associated tags.
Examples
Basic info
Explore the default actions and regional distribution of your AWS WAF web access control lists (ACLs) to gain insights into their configurations and associated tags. This is useful in identifying potential security gaps and ensuring that your ACLs are optimally configured for your specific use case.
select name, web_acl_id, arn, region, default_action, tagsfrom aws_wafregional_web_acl;
select name, web_acl_id, arn, region, default_action, tagsfrom aws_wafregional_web_acl;
Get rule details for each web ACL
Explore specific rules applied to each web application firewall (WAF) to understand its function, including any rules that have been excluded and any actions taken when a rule is triggered. This can help in assessing the security configuration of your WAF.
select name, web_acl_id, r ->> 'RuleId' as rule_id, r ->> 'Type' as rule_type, r ->> 'ExcludedRules' as excluded_rules, r ->> 'OverrideAction' as override_action, r -> 'Action' ->> 'Type' as action_typefrom aws_wafregional_web_acl, jsonb_array_elements(rules) as r;
select name, web_acl_id, json_extract(r.value, '$.RuleId') as rule_id, json_extract(r.value, '$.Type') as rule_type, json_extract(r.value, '$.ExcludedRules') as excluded_rules, json_extract(r.value, '$.OverrideAction') as override_action, json_extract(json_extract(r.value, '$.Action'), '$.Type') as action_typefrom aws_wafregional_web_acl, json_each(rules) as r;
Get web ACLs with no rules defined
Identify instances where web access control lists (ACLs) are defined without any rules in the AWS WAF Regional service. This can help in pinpointing potential security vulnerabilities where traffic is not being properly filtered.
select name, web_acl_id, arn, region, default_action, tagsfrom aws_wafregional_web_aclwhere rules is null;
select name, web_acl_id, arn, region, default_action, tagsfrom aws_wafregional_web_aclwhere rules is null;
Get web ACLs with default action as 'ALLOW'
Explore which web access control lists (ACLs) in your AWS WAF regional setup have been configured to allow all traffic by default. This can help you identify potential security vulnerabilities where access is not sufficiently restricted.
select name, web_acl_id, arn, region, default_actionfrom aws_wafregional_web_aclwhere default_action = 'ALLOW';
select name, web_acl_id, arn, region, default_actionfrom aws_wafregional_web_aclwhere default_action = 'ALLOW';
List web ACLs with logging disabled
Explore which web access control lists (ACLs) in your AWS infrastructure have logging disabled. This is useful for identifying potential security blind spots where unauthorized access could occur undetected.
select name, web_acl_id, arn, regionfrom aws_wafregional_web_aclwhere logging_configuration is null;
select name, web_acl_id, arn, regionfrom aws_wafregional_web_aclwhere logging_configuration is null;
Schema for aws_wafregional_web_acl
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
arn | text | The Amazon Resource Name (ARN) of the entity. | |
default_action | text | The action to perform if none of the Rules contained in the WebACL match. | |
logging_configuration | jsonb | The logging configuration for the web ACL. | |
metric_name | text | A friendly name or description for the metrics for this WebACL. | |
name | text | The name of the Web ACL. You cannot change the name of a Web ACL after you create it. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
region | text | The AWS Region in which the resource is located. | |
resources | jsonb | An array of ARNs (Amazon Resource Names) of the resources associated with the web ACL. | |
rules | jsonb | The Rule statements used to identify the web requests that you want to allow, block, or count. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
tags | jsonb | A map of tags for the resource. | |
tags_src | jsonb | A list of tags associated with the resource. | |
title | text | Title of the resource. | |
web_acl_id | text | = | The unique identifier for the Web ACL. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_wafregional_web_acl