Ensure Azure front door uses WAF in Detection or Prevention modes

Error: Azure front door does not use WAF in Detection or Prevention modes

Bridgecrew Policy ID: BC_AZR_NETWORKING_40
Checkov Check ID: CKV_AZURE_123
Severity: LOW

Azure front door does not use WAF in Detection or Prevention modes

Description

WAF has two modes: Detection and Prevention. In Detection mode, WAF analyzes incoming traffic to the Azure front door and logs any requests that are determined to be malicious based on a set of rules. This can help you to identify potential security threats and take appropriate action to protect your application.

In Prevention mode, WAF analyzes incoming traffic to the application gateway and blocks any requests that are determined to be malicious based on a set of rules. This can help to prevent malicious requests from reaching your application and potentially causing damage.

Fix - Buildtime

Terraform

Resource: azurerm_frontdoor_firewall_policy
Argument: policy_settings.enabled + policy_settings.mode

resource "azurerm_frontdoor_firewall_policy" "example" {

											...
                      policy_settings {
 +                      enabled                     = true
 +                      mode                        = "Prevention"
                        request_body_check          = true
                        file_upload_limit_in_mb     = 100
                        max_request_body_size_in_kb = 128
                      }
                      ...
                    }

Updated 9 months ago