Findings

AWS ALB has WAF set to fail open

Updated: July 4, 2025

Findings Cloud Based Findings API Finding

Description

Severity: Info

The AWS Application Load Balancer (ALB) is configured with a Web Application Firewall (WAF) set to "fail open".

In this configuration, if the WAF becomes unavailable (e.g., due to a service disruption or misconfiguration), incoming traffic bypasses the WAF entirely. This can result in the application receiving unfiltered traffic, which could expose it to malicious requests or vulnerabilities.

Example Attack

An attacker takes advantage of a WAF service disruption, knowing that if the WAF fails, traffic is allowed to pass through without filtering. The attacker sends malicious requests, such as SQL injection payloads, to the ALB. With WAF set to "fail open," the malicious requests bypass the protection layer, potentially compromising the application.

Remediation

Review your organization's security policies to determine if a "fail open" configuration aligns with your risk tolerance. If not, reconfigure the WAF to not fail open.

Need help?

Contact FireTail support

Previous (Findings - Cloud based findings)
AWS ALB has insecure desync mitigation mode
Next (Findings - Cloud based findings)
AWS ALB is missing WAF