steampipe plugin install awssteampipe plugin install aws

Table: aws_wafregional_web_acl - Query AWS WAF Regional WebACL using SQL

The AWS WAF Regional WebACL is a resource within the AWS WAF service that allows you to protect your AWS resources against common web exploits. It provides control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting.

Table Usage Guide

The aws_wafregional_web_acl table in Steampipe provides you with information about Web Access Control Lists (WebACLs) in AWS WAF Regional. This table allows you, as a security professional, to query WebACL-specific details, including associated rules, default actions, metric names, and associated metadata. You can utilize this table to gather insights on WebACLs, such as their associated rules, default actions, and more. The schema outlines for you the various attributes of the WebACL, including the WebACL ID, ARN, name, metric name, default action, and associated tags.

Examples

Basic info

Explore the default actions and regional distribution of your AWS WAF web access control lists (ACLs) to gain insights into their configurations and associated tags. This is useful in identifying potential security gaps and ensuring that your ACLs are optimally configured for your specific use case.

select
  name,
  web_acl_id,
  arn,
  region,
  default_action,
  tags
from
  aws_wafregional_web_acl;

select
  name,
  web_acl_id,
  arn,
  region,
  default_action,
  tags
from
  aws_wafregional_web_acl;

Get rule details for each web ACL

Explore specific rules applied to each web application firewall (WAF) to understand its function, including any rules that have been excluded and any actions taken when a rule is triggered. This can help in assessing the security configuration of your WAF.

select
  name,
  web_acl_id,
  r ->> 'RuleId' as rule_id,
  r ->> 'Type' as rule_type,
  r ->> 'ExcludedRules' as excluded_rules,
  r ->> 'OverrideAction' as override_action,
  r -> 'Action' ->> 'Type' as action_type
from
  aws_wafregional_web_acl,
  jsonb_array_elements(rules) as r;

select
  name,
  web_acl_id,
  json_extract(r.value, '$.RuleId') as rule_id,
  json_extract(r.value, '$.Type') as rule_type,
  json_extract(r.value, '$.ExcludedRules') as excluded_rules,
  json_extract(r.value, '$.OverrideAction') as override_action,
  json_extract(json_extract(r.value, '$.Action'), '$.Type') as action_type
from
  aws_wafregional_web_acl,
  json_each(rules) as r;

Get web ACLs with no rules defined

Identify instances where web access control lists (ACLs) are defined without any rules in the AWS WAF Regional service. This can help in pinpointing potential security vulnerabilities where traffic is not being properly filtered.

select
  name,
  web_acl_id,
  arn,
  region,
  default_action,
  tags
from
  aws_wafregional_web_acl
where
  rules is null;

select
  name,
  web_acl_id,
  arn,
  region,
  default_action,
  tags
from
  aws_wafregional_web_acl
where
  rules is null;

Get web ACLs with default action as 'ALLOW'

Explore which web access control lists (ACLs) in your AWS WAF regional setup have been configured to allow all traffic by default. This can help you identify potential security vulnerabilities where access is not sufficiently restricted.

select
  name,
  web_acl_id,
  arn,
  region,
  default_action
from
  aws_wafregional_web_acl
where
  default_action = 'ALLOW';

select
  name,
  web_acl_id,
  arn,
  region,
  default_action
from
  aws_wafregional_web_acl
where
  default_action = 'ALLOW';

List web ACLs with logging disabled

Explore which web access control lists (ACLs) in your AWS infrastructure have logging disabled. This is useful for identifying potential security blind spots where unauthorized access could occur undetected.

select
  name,
  web_acl_id,
  arn,
  region
from
  aws_wafregional_web_acl
where
  logging_configuration is null;

select
  name,
  web_acl_id,
  arn,
  region
from
  aws_wafregional_web_acl
where
  logging_configuration is null;

Control examples

Schema for aws_wafregional_web_acl

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
account_id	text	=, !=, ~~, ~~, !~~, !~~	The AWS Account ID in which the resource is located.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
arn	text		The Amazon Resource Name (ARN) of the entity.
default_action	text		The action to perform if none of the Rules contained in the WebACL match.
logging_configuration	jsonb		The logging configuration for the web ACL.
metric_name	text		A friendly name or description for the metrics for this WebACL.
name	text		The name of the Web ACL. You cannot change the name of a Web ACL after you create it.
partition	text		The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
region	text		The AWS Region in which the resource is located.
resources	jsonb		An array of ARNs (Amazon Resource Names) of the resources associated with the web ACL.
rules	jsonb		The Rule statements used to identify the web requests that you want to allow, block, or count.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
tags	jsonb		A map of tags for the resource.
tags_src	jsonb		A list of tags associated with the resource.
title	text		Title of the resource.
web_acl_id	text	=	The unique identifier for the Web ACL.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_wafregional_web_acl