What this looks like in the scanner
securecompass.io/public-exposure-scanner
Critical
prod-public-alb
Internet-facing Application Load Balancer has no WAF web ACL associated
High
api-gateway-waf-acl
WAF web ACL has no rules for SQL injection or cross-site scripting protection
Medium
web-app-waf-acl
WAF web ACL does not have logging enabled for security analysis
What does AWS WAF public exposure mean?
Public-facing resources like ALBs, API Gateways, and CloudFront distributions without WAF protection are exposed to common web attacks - SQL injection, cross-site scripting, and bot traffic.
Why it matters
WAF is your first line of defense against application-layer attacks. Without it, your applications must rely entirely on application-level input validation, which is error-prone and inconsistent.
How to check manually
- 1Verify WAF is associated with all public-facing ALBs
- 2Check that API Gateway stages have WAF web ACLs attached
- 3Review CloudFront distributions for WAF association
- 4Audit WAF rules for coverage of OWASP Top 10
Quick check with AWS CLI
List all WAF web ACLs and their associated resources
aws wafv2 list-web-acls --scope REGIONAL --query "WebACLs[].{Name:Name,Id:Id,ARN:ARN}"Find ALBs without WAF web ACL protection
aws elbv2 describe-load-balancers --query "LoadBalancers[?Scheme=='internet-facing'].LoadBalancerArn" --output text | xargs -I {} sh -c 'echo "ALB: {}"; aws wafv2 get-web-acl-for-resource --resource-arn {} 2>&1'Check WAF logging configuration for a web ACL
aws wafv2 get-logging-configuration --resource-arn YOUR_WEB_ACL_ARN --query "LoggingConfiguration.LogDestinationConfigs"Common misconfigurations
Public ALB without any WAF web ACL
WAF rules not covering SQL injection or XSS
Rate limiting not configured for API endpoints
WAF logging not enabled for security analysis
Check all 22 resource types at once
Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.
Scan My Account