Web ACL (WAF) attachment on ELBv2/ELBv1

[hobietje]

We would like to audit whether our ELBv2/ELBv1 have a WAFv2 attached or not. The aws_elbv2_load_balancers and aws_elbv2_load_balancer_atributes tables currently do not include this information. There similarly isn't a table listing all Web ACL attachments.

It appears a separate API call is needed to determine whether a Web ACL is attached:
https://docs.aws.amazon.com/cli/latest/reference/waf-regional/get-web-acl-for-resource.html

Can this please be added?

[amanenk]

Hi there.

I have just ran a short test.
There is a resources_for_web_acl column in aws_wafv2_web_acls table that should contain all resources ARNs linked to Web ACL.

[hobietje]

Thanks @fdistorted, I missed that. I can see ALBs but not ELBs, CF Distributions or API Gateways... could be due to those mappings not existing in my AWS environment though. Do you know if those should be included?

[amanenk]

As I see from the documentation list-resources-for-web-acl support --resource-type parameter which can be APPLICATION_LOAD_BALANCER or API_GATEWAY.
get-web-acl-for-resource wants --resource-arn in next formats arn:aws:elasticloadbalancing:region :account-id :loadbalancer/app/load-balancer-name/load-balancer-id and arn:aws:apigateway:region ::/restapis/api-id /stages/stage-name

Let me try some other resource type to check if it works.

[amanenk]

I have tried to associate different resources but only APPLICATION_LOAD_BALANCER or API_GATEWAY can be mapped to web_acl. Also I have noticed an interesting behavior. list-resources-for-web-acl does not list API_GATEWAYs but get-web-acl-for-resource confirms that api gateway is linked to web_acl. It seems that we need to implement web_acl column in some api gateways and load balancers

[amanenk]

After short investigation I have found out that aws_apigateway_rest_api_stages already has a web_acl_arn column. I have made a PR to add such a column to aws_elbv2_load_balancers