AWS ALB is missing WAF

Updated: June 19, 2025

findings cloud based findings api finding

Description

The Application Load Balancer (ALB) is not associated with an AWS WAF Web ACL.

Remediation

Associate the Application Load Balancer with a Web ACL.

Security Frameworks

NIST 800-53.r5

NIST-AC-4(21): Information Flow Enforcement | Physical or Logical Separation of Information Flows

Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].

Need help?

Contact FireTail support

Previous (Findings - Cloud based findings): AWS ALB has WAF set to fail open
Next (Findings - Cloud based findings): AWS ALB listeners should be configured with a strong security policy