AWS WAF Classic Regional Rule Group Not Empty
Overview
This check verifies that AWS WAF Classic Regional rule groups contain at least one rule. An empty rule group provides no filtering capability and serves no security purpose within your web ACL configuration.
Note: AWS WAF Classic is a legacy service. AWS recommends migrating to AWS WAF (WAFV2) for new deployments. However, if you still use WAF Classic, this check ensures your rule groups are properly configured.
Risk
Empty rule groups create a false sense of security. When a rule group contains no rules:
- No traffic filtering occurs - Requests pass through without inspection
- Security gaps emerge - Applications remain exposed to SQL injection, cross-site scripting, and other attacks
- Compliance violations - Auditors may flag empty security controls as configuration weaknesses
- Wasted resources - Empty rule groups add complexity without providing protection
Severity: Medium
Remediation Steps
Prerequisites
You need:
- AWS Console access with permissions to modify WAF Classic resources
- An existing rule to add to the rule group (or you will create one)
Required IAM permissions
Your IAM user or role needs these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"waf-regional:GetRuleGroup",
"waf-regional:UpdateRuleGroup",
"waf-regional:GetChangeToken",
"waf-regional:ListRules",
"waf-regional:GetRule",
"waf-regional:CreateRule",
"waf-regional:UpdateRule"
],
"Resource": "*"
}
]
}
AWS Console Method
-
Open the AWS WAF Console
-
In the navigation pane, switch to AWS WAF Classic (look for "Switch to AWS WAF Classic" link)
-
Select the correct Region (e.g., US East (N. Virginia) for us-east-1)
-
Click Rule groups in the left navigation
-
Select the empty rule group identified by Prowler
-
Click Edit
-
Under Rules, click Add rule
-
Select an existing rule from the dropdown, or create a new rule first:
- To create a rule, go to Rules in the left navigation
- Click Create rule
- Define your match conditions (IP addresses, strings, regex patterns, etc.)
- Save the rule, then return to your rule group
-
Set the Priority (lower numbers = higher priority, evaluated first)
-
Choose the Action:
- Block - Reject matching requests
- Allow - Permit matching requests
- Count - Only count matches (useful for testing)
-
Click Update to save your changes
AWS CLI (optional)
Step 1: List your rule groups to find the empty one
aws waf-regional list-rule-groups \
--region us-east-1
Step 2: List available rules you can add
aws waf-regional list-rules \
--region us-east-1
Note the RuleId of a rule you want to add.
Step 3: Get a change token
WAF Classic requires a change token for all modifications:
aws waf-regional get-change-token \
--region us-east-1
Save the ChangeToken value from the output.
Step 4: Add the rule to the rule group
aws waf-regional update-rule-group \
--region us-east-1 \
--rule-group-id <your-rule-group-id> \
--change-token <your-change-token> \
--updates '[
{
"Action": "INSERT",
"ActivatedRule": {
"Priority": 1,
"RuleId": "<your-rule-id>",
"Action": {
"Type": "BLOCK"
},
"Type": "REGULAR"
}
}
]'
Replace:
<your-rule-group-id>with your rule group ID<your-change-token>with the token from Step 3<your-rule-id>with the rule ID from Step 2
Action types:
BLOCK- Block matching requestsALLOW- Allow matching requestsCOUNT- Count only (for testing)
CloudFormation (optional)
Important: AWS CloudFormation support for WAF Classic Regional resources is deprecated. The AWS::WAFRegional::RuleGroup resource type may not be available in all regions. Consider migrating to WAFV2, which has full CloudFormation support.
If you must use CloudFormation with WAF Classic, here is the template structure:
AWSTemplateFormatVersion: '2010-09-09'
Description: WAF Classic Regional Rule Group with Rules
Parameters:
RuleGroupName:
Type: String
Default: MyRuleGroup
Description: Name for the WAF rule group
Resources:
# First, create a rule with a condition
SampleIPSet:
Type: AWS::WAFRegional::IPSet
Properties:
Name: BlockedIPSet
IPSetDescriptors:
- Type: IPV4
Value: 192.0.2.0/24 # Example IP range - replace with actual IPs to block
SampleRule:
Type: AWS::WAFRegional::Rule
Properties:
Name: BlockBadIPsRule
MetricName: BlockBadIPsRule
Predicates:
- DataId: !Ref SampleIPSet
Negated: false
Type: IPMatch
# Now create the rule group with the rule
RuleGroup:
Type: AWS::WAFRegional::RuleGroup
Properties:
Name: !Ref RuleGroupName
MetricName: !Sub ${RuleGroupName}Metric
ActivatedRules:
- Priority: 1
RuleId: !Ref SampleRule
Action:
Type: BLOCK
Outputs:
RuleGroupId:
Description: The ID of the WAF Rule Group
Value: !Ref RuleGroup
Deploy with:
aws cloudformation deploy \
--template-file waf-rule-group.yaml \
--stack-name waf-classic-rule-group \
--region us-east-1
Terraform (optional)
Note: The aws_wafregional_* resources are for WAF Classic. For new deployments, use aws_wafv2_* resources instead.
# WAF Classic Regional Rule Group with Rules
# Create an IP set for blocking
resource "aws_wafregional_ipset" "blocked_ips" {
name = "blocked-ip-set"
ip_set_descriptor {
type = "IPV4"
value = "192.0.2.0/24" # Example - replace with actual IPs to block
}
}
# Create a rule using the IP set
resource "aws_wafregional_rule" "block_bad_ips" {
name = "BlockBadIPsRule"
metric_name = "BlockBadIPsRule"
predicate {
data_id = aws_wafregional_ipset.blocked_ips.id
negated = false
type = "IPMatch"
}
}
# Create the rule group with the rule
resource "aws_wafregional_rule_group" "example" {
name = "example-rule-group"
metric_name = "exampleRuleGroup"
activated_rule {
action {
type = "BLOCK"
}
priority = 1
rule_id = aws_wafregional_rule.block_bad_ips.id
type = "REGULAR"
}
}
# Output the rule group ID
output "rule_group_id" {
description = "The ID of the WAF rule group"
value = aws_wafregional_rule_group.example.id
}
Apply with:
terraform init
terraform plan
terraform apply
Verification
After adding rules to your rule group, verify the fix:
- In the AWS WAF Classic console, navigate to Rule groups
- Select your rule group
- Confirm that at least one rule appears in the Rules section
- Check that the rule has a valid Action (Block, Allow, or Count)
CLI verification
aws waf-regional get-rule-group \
--region us-east-1 \
--rule-group-id <your-rule-group-id>
The ActivatedRules array should contain at least one entry:
{
"RuleGroup": {
"RuleGroupId": "abc123...",
"Name": "MyRuleGroup",
"MetricName": "MyRuleGroupMetric"
},
"ActivatedRules": [
{
"Priority": 1,
"RuleId": "xyz789...",
"Action": {
"Type": "BLOCK"
},
"Type": "REGULAR"
}
]
}
Additional Resources
- AWS WAF Classic Developer Guide
- Migrating from AWS WAF Classic to WAFV2
- AWS WAF Regional API Reference
- AWS WAF Best Practices
Notes
-
Migration recommended: AWS WAF Classic is a legacy service. AWS recommends migrating to AWS WAF (WAFV2), which offers improved features, simpler rule management, and better integration with AWS Firewall Manager.
-
Rule types: You can only add REGULAR rules to a rule group. Rate-based rules must be added directly to web ACLs.
-
Maximum rules: A rule group can contain up to 10 rules. Plan your rule organization accordingly.
-
Change tokens: Every modification to WAF Classic resources requires a fresh change token. Tokens expire after use or timeout.
-
Consider removing empty groups: If a rule group is no longer needed, consider deleting it rather than leaving it empty. Empty rule groups add complexity without security value.
-
Test before blocking: Use the COUNT action to test rules before switching to BLOCK. This helps avoid accidentally blocking legitimate traffic.