AWS ALB has a WAF that is set to fail open

firetail:aws-alb-waf-fail-open

Type:

CSPM

Rule Severity:

Info

The AWS Application Load Balancer (ALB) is configured with a Web Application Firewall (WAF) set to "fail open".

In this configuration, if the WAF becomes unavailable (e.g., due to a service disruption or misconfiguration), incoming traffic bypasses the WAF entirely. This can result in the application receiving unfiltered traffic, which could expose it to malicious requests or vulnerabilities.

Remediation

Review your organization's security policies to determine if a "fail open" configuration aligns with your risk tolerance. If not, reconfigure the WAF to not fail open.

Example Attack Scenario

An attacker takes advantage of a WAF service disruption, knowing that if the WAF fails, traffic is allowed to pass through without filtering. The attacker sends malicious requests, such as SQL injection payloads, to the ALB. With WAF set to "fail open," the malicious requests bypass the protection layer, potentially compromising the application.

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
AWS Load Balancer missing deletion protection
Response time limit exceeded
Twilio secrets found in logs
Field duplication
Missing content-type header
AWS ALB listeners should be configured with HTTPS or TLS termination