Findings

AWS ALB is missing WAF

Updated: June 19, 2025

findings cloud based findings api finding

Description

Severity: Info

The Application Load Balancer (ALB) is not associated with an AWS Web Application Firewall (WAF) Web Access Control List (ACL).

Without a WAF, the Application Load Balancer (ALB) lacks an essential layer of defense against common web exploits, such as SQL injection and cross-site scripting (XSS). This omission exposes the application to potential threats that could compromise sensitive data, disrupt operations, or enable unauthorized access.

Example Attack

An attacker sends malicious SQL queries or XSS payloads targeting a vulnerable application behind an ALB. Without a WAF, these exploits bypass any filtering and reach the application, allowing the attacker to access sensitive data, manipulate content, or escalate their attack. If a WAF with rules for SQLi and XSS prevention were in place, such requests would be detected and blocked before reaching the application.

Remediation

Associate the Application Load Balancer with an AWS WAF Web ACL to protect the application from malicious traffic.

Security Frameworks

NIST 800-53.r5

NIST-AC-4(21): Information Flow Enforcement | Physical or Logical Separation of Information Flows

Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].

Need help?

Contact FireTail support

Previous (Findings - Cloud based findings)
AWS ALB has WAF set to fail open
Next (Findings - Cloud based findings)
AWS ALB listeners should be configured with a strong security policy