Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · WAF

WAF.8: WAF Classic global web ACLs should have a rule

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub WAF.8 check?

WAF.8 checks AWS WAF Classic global web ACLs (`AWS::WAF::WebACL`, the CloudFront-scoped kind at the global `waf` endpoint in us-east-1). It reports FAILED when the web ACL's rule list is empty. It is the global equivalent of WAF.4, which checks Regional web ACLs.

Why does WAF.8 matter?

With an empty rule list WAF has nothing to evaluate, so every request falls through to the default action — usually `ALLOW`, meaning 100% of traffic reaches your CloudFront origin uninspected. You're paying for a WAF that shows up in architecture diagrams and does nothing, and a web ACL named `prod-edge-waf` with zero rules reads as protection to anyone glancing at the console or an audit report.

How do I fix WAF.8?

  1. Confirm the global web ACL is genuinely empty (use the `aws waf` API against us-east-1).
  2. Decide whether to populate or retire it.
  3. Add at least one meaningful rule — COUNT-first on production to avoid blocking legitimate traffic.
  4. Prevent empty controls from shipping again, ideally by migrating to a baselined WAFv2 web ACL.

Remediation script · bash

# Attach the AWS Managed Rules common baseline to an empty web ACL, in Count mode.
# update-web-acl REPLACES the entire Rules array, so supply the full desired set and the current LockToken.
aws wafv2 update-web-acl \
  --scope REGIONAL --name public-alb-waf --id a1b2c3d4-0000-1111-2222-3333 \
  --lock-token e4f5g6h7 --default-action Allow={} \
  --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=public-alb-waf \
  --rules '[{"Name":"AWS-CommonRuleSet","Priority":0,"Statement":{"ManagedRuleGroupStatement":{"VendorName":"AWS","Name":"AWSManagedRulesCommonRuleSet"}},"OverrideAction":{"Count":{}},"VisibilityConfig":{"SampledRequestsEnabled":true,"CloudWatchMetricsEnabled":true,"MetricName":"AWS-CommonRuleSet"}}]'

# Associate a baseline web ACL with an unprotected API Gateway stage (the resource ARN is the stage, not the API).
aws wafv2 associate-web-acl \
  --web-acl-arn arn:aws:wafv2:us-east-1:111122223333:regional/webacl/prod-api-baseline/1a2b3c4d \
  --resource-arn arn:aws:apigateway:us-east-1::/restapis/a1b2c3d4e5/stages/prod

# Protect a Network Firewall from accidental deletion.
aws network-firewall update-firewall-delete-protection \
  --firewall-name prod-egress-inspection --delete-protection

Full walkthrough (console steps, edge cases and verification) in the lesson Protect APIs and edge with WAF.

Full lesson Protect APIs and edge with WAF Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for WAF controls ↗ Check your own account for WAF.8 →
Part of the learning path Lock down access

More WAF controls

  • WAF.1 WAF Classic global web ACL logging
  • WAF.2 WAF Classic regional rules should have a condition
  • WAF.3 WAF Classic regional rule groups should have a rule
  • WAF.4 WAF Classic regional web ACLs should have a rule
  • WAF.6 WAF Classic global rules should have a condition
  • WAF.7 WAF Classic global rule groups should have a rule
  • WAF.10 WAFv2 web ACLs should have a rule or rule group
  • WAF.11 WAFv2 web ACL logging should be enabled