steampipe plugin install aws

Table: aws_wafv2_web_acl - Query AWS WAFv2 WebACLs using SQL

AWS WAFv2 WebACLs are a key component of AWS WAF, a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. The WebACLs allow you to manage a collection of rules that use the same settings. These rules can identify patterns of malicious behavior and take action to block, allow, or count web requests.

Table Usage Guide

The aws_wafv2_web_acl table in Steampipe provides you with information about WebACL resources within AWS WAFv2. This table allows you, as a DevOps engineer, to query WebACL-specific details, including associated rules, actions, visibility configurations, and associated metadata. You can utilize this table to gather insights on WebACLs, such as rules associated with each WebACL, actions for each rule, and the scope of the WebACL. The schema outlines for you the various attributes of the WebACL, including the ARN, capacity, default action, description, and associated tags.

Examples

Basic info

Identify instances where your AWS WAFv2 web access control lists (ACLs) are managed by the firewall manager to understand your current security posture and capacity. This could be useful in assessing potential vulnerabilities and planning for capacity management.

select
name,
id,
scope,
description,
capacity,
managed_by_firewall_manager
from
aws_wafv2_web_acl;
select
name,
id,
scope,
description,
capacity,
managed_by_firewall_manager
from
aws_wafv2_web_acl;

Get CloudWatch metrics details for each web ACL

Explore the status and metrics of your web access control lists (ACLs) to understand their operational efficiency and performance. This can help in monitoring and managing the security of your web applications.

select
name,
id,
visibility_config ->> 'CloudWatchMetricsEnabled' as cloud_watch_metrics_enabled,
visibility_config ->> 'MetricName' as metric_name
from
aws_wafv2_web_acl;
select
name,
id,
json_extract(visibility_config, '$.CloudWatchMetricsEnabled') as cloud_watch_metrics_enabled,
json_extract(visibility_config, '$.MetricName') as metric_name
from
aws_wafv2_web_acl;

List web ACLs whose sampled requests are not enabled

Identify the Web Access Control Lists (ACLs) within your AWS infrastructure where the sampling of requests is disabled. This could be useful for security audits or ensuring optimal configuration settings.

select
name,
id,
visibility_config ->> 'SampledRequestsEnabled' as sampled_requests_enabled
from
aws_wafv2_web_acl
where
visibility_config ->> 'SampledRequestsEnabled' = 'false';
select
name,
id,
json_extract(visibility_config, '$.SampledRequestsEnabled') as sampled_requests_enabled
from
aws_wafv2_web_acl
where
json_extract(visibility_config, '$.SampledRequestsEnabled') = 'false';

Get the attack patterns defined in each rule for each web ACL

Identify the specific attack patterns defined in each rule for each web application firewall. This can be useful in understanding the security measures in place and potentially identifying areas for improvement or adjustment.

select
name,
id,
r ->> 'Name' as name,
r -> 'Statement' ->> 'AndStatement' as and_statement,
r -> 'Statement' ->> 'ByteMatchStatement' as byte_match_statement,
r -> 'Statement' ->> 'GeoMatchStatement' as geo_match_statement,
r -> 'Statement' ->> 'IPSetReferenceStatement' as ip_set_reference_statement,
r -> 'Statement' ->> 'NotStatement' as not_statement,
r -> 'Statement' ->> 'OrStatement' as or_statement,
r -> 'Statement' ->> 'RateBasedStatement' as rate_based_statement,
r -> 'Statement' ->> 'RegexPatternSetReferenceStatement' as regex_pattern_set_reference_statement,
r -> 'Statement' ->> 'RuleGroupReferenceStatement' as rule_group_reference_statement,
r -> 'Statement' ->> 'SizeConstraintStatement' as size_constraint_statement,
r -> 'Statement' ->> 'SqliMatchStatement' as sql_match_statement,
r -> 'Statement' ->> 'XssMatchStatement' as xss_match_statement
from
aws_wafv2_web_acl,
jsonb_array_elements(rules) as r;
Error: The corresponding SQLite query is unavailable.

List regional web ACLs

Determine the areas in which regional web access control lists (ACLs) are in use. This information can be useful for understanding the geographical distribution of your web security measures.

select
name,
id,
scope,
region
from
aws_wafv2_web_acl
where
scope = 'REGIONAL';
select
name,
id,
scope,
region
from
aws_wafv2_web_acl
where
scope = 'REGIONAL';

List web ACLs with logging disabled

Discover the segments that have disabled logging in their web ACLs to understand potential security blind spots in your AWS WAF configuration. This can be used to enhance security measures by ensuring all activities are properly logged and monitored.

select
name,
id,
scope,
region
from
aws_wafv2_web_acl
where
logging_configuration is null;
select
name,
id,
scope,
region
from
aws_wafv2_web_acl
where
logging_configuration is null;

Get details for ALBs associated with each web ACL

This query allows you to pinpoint the specific Application Load Balancers associated with each Web Access Control List. This can be particularly useful in understanding your network's security configuration or identifying potential vulnerabilities.

select
lb.name as application_load_balancer_name,
w.name as web_acl_name,
w.id as web_acl_id,
w.scope as web_acl_scope,
lb.type as application_load_balancer_type
from
aws_ec2_application_load_balancer as lb,
aws_wafv2_web_acl as w,
jsonb_array_elements_text(associated_resources) as arns
where
lb.arn = arns;
select
lb.name as application_load_balancer_name,
w.name as web_acl_name,
w.id as web_acl_id,
w.scope as web_acl_scope,
lb.type as application_load_balancer_type
from
aws_ec2_application_load_balancer as lb,
aws_wafv2_web_acl as w,
json_each(associated_resources) as arns
where
lb.arn = arns.value;

Schema for aws_wafv2_web_acl

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
arntextThe Amazon Resource Name (ARN) of the entity.
associated_resourcesjsonbThe array of Amazon Resource Names (ARNs) of the associated resources.
capacitybigintThe Web ACL capacity units(WCUs) currently being used by this resource.
default_actionjsonbThe action to perform if none of the Rules contained in the Web ACL match.
descriptiontextA description of the Web ACL that helps with identification.
idtext=The unique identifier for the Web ACL.
lock_tokentextA token used for optimistic locking.
logging_configurationjsonbThe logging configuration for the specified web ACL.
managed_by_firewall_managerbooleanIndicates whether this web ACL is managed by AWS Firewall Manager.
nametext=The name of the Web ACL. You cannot change the name of a Web ACL after you create it.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
post_process_firewall_manager_rule_groupsjsonbThe last set of rules for AWS WAF to process in the web ACL.
pre_process_firewall_manager_rule_groupsjsonbThe first set of rules for AWS WAF to process in the web ACL.
regiontextThe AWS Region in which the resource is located.
rulesjsonbThe Rule statements used to identify the web requests that you want to allow, block, or count.
scopetext=Specifies the scope of the Web ACL. Possibles values are: 'REGIONAL' and 'CLOUDFRONT'.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
tagsjsonbA map of tags for the resource.
tags_srcjsonbA list of tags associated with the resource.
titletextTitle of the resource.
visibility_configjsonbDefines and enables Amazon CloudWatch metrics and web request sample collection.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_wafv2_web_acl