AWS ALB has WAF set to fail open

Updated: June 19, 2025

findings cloud based findings api finding

Description

AWS Application Load Balancer (ALB) has a WAF that is set to fail open if the WAF is unavailable.

Ensure that this behaviour is in accordance with your security policies or set the AWS WAF to not fail open.

Previous (Findings - Cloud based findings): AWS ALB has insecure desync mitigation mode
Next (Findings - Cloud based findings): AWS ALB is missing WAF