Write Your First Control

Objective

Verify that Azure Application Gateways have the Web Application Firewall (WAF) enabled to protect against common vulnerabilities and enforce access restrictions.

Step-by-Step Guide

Step 1: Determine what attributes are required

First, confirm that the Application Gateway resource type has been discovered and that its attributes are available. According to the schema, we know table is azure_application_gateway and column web_application_firewall_configuration contains the necessary configuration details.

Having worked with Azure, the key identifers are: Subscription Name, ID, Region, WAF

Step 2: Build the Query

Retrieve all Azure Application Gateways to evaluate their WAF status.

SELECT 
  ag.id AS resource, 
  ag.platform_account_id, 
  ag.platform_resource_id, 
  ag.resource_group,
  ag.web_application_firewall_configuration
  sub.display_name AS subscription 
FROM azure_application_gateway ag 
JOIN azure_subscription sub ON sub.subscription_id = ag.subscription_id;

b. Identify conditions of compliance and non-compliance

Find gateways with WAF enabled.

SELECT 
  ag.id AS resource 
FROM azure_application_gateway ag 
WHERE ag.web_application_firewall_configuration IS NOT NULL;

Find gateways without WAF enabled.

SELECT 
  ag.id AS resource 
FROM azure_application_gateway ag 
WHERE ag.web_application_firewall_configuration IS NULL;

c. Compile Compliance Status

Generate a report indicating compliance status and reasons.

SELECT
      ag.id AS resource,
      ag.platform_account_id AS platform_account_id,
      ag.platform_resource_id AS platform_resource_id,
      CASE
        WHEN web_application_firewall_configuration IS NOT NULL THEN 'ok'
        ELSE 'alarm'
      END AS status,
      CASE
        WHEN web_application_firewall_configuration IS NOT NULL THEN ag.name || ' WAF enabled.'
        ELSE ag.name || ' WAF disabled.'
      END AS reason,
      ag.resource_group AS resource_group,
      sub.display_name AS subscription
    FROM
      azure_application_gateway AS ag
    JOIN
      azure_subscription AS sub
    ON
      sub.subscription_id = ag.subscription_id;

Step 3: Build the Control

ID: azure_application_gateway_waf_enabled
Title: Web Application Firewall (WAF) should be enabled for Application Gateway
Description: Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.
IntegrationType:
  - azure_subscription
Query:
  Engine: CloudQL-v0.0.1
  ListOfTables:
    - azure_application_gateway
    - azure_subscription
  Parameters: []
  PrimaryTable: azure_application_gateway
  QueryToExecute: |
    SELECT
      ag.id AS resource,
      ag.platform_account_id AS platform_account_id,
      ag.platform_resource_id AS platform_resource_id,
      CASE
        WHEN web_application_firewall_configuration IS NOT NULL THEN 'ok'
        ELSE 'alarm'
      END AS status,
      CASE
        WHEN web_application_firewall_configuration IS NOT NULL THEN ag.name || ' WAF enabled.'
        ELSE ag.name || ' WAF disabled.'
      END AS reason,
      ag.resource_group AS resource_group,
      sub.display_name AS subscription
    FROM
      azure_application_gateway AS ag
    JOIN
      azure_subscription AS sub
    ON
      sub.subscription_id = ag.subscription_id;
Severity: high
Tags:
  nist_sp_800_53_rev_5:
    - "true"
  service:
    - Azure/Network

References

By following these five steps, you can effectively create and implement a control to ensure that WAF is enabled on all Azure Application Gateways, enhancing your security posture and maintaining compliance.

PreviousControl DefinitionNextCompliance Framework

Last updated