Professional Documents
Culture Documents
DEEP
Exported on 01/28/2022
DEEP – AWS WAF Rules Management
Table of Contents
1 Introduction .............................................................................................................4
2 Shared Responsibility Model...................................................................................5
3 Usage ........................................................................................................................6
3.1 Associate Resources to the WAF....................................................................................................6
3.2 Monitor Counted or Blocked Traffic Requests..............................................................................6
3.3 Add Rules using the DEEP WAF Rule Provider ..............................................................................8
4 Security Guidelines to Create Rules to Whitelist Legitimate Traffic....................10
4.1 Whitelist Parameters rather than URLs ......................................................................................10
4.2 Narrow rule scope as much as possible......................................................................................13
5 Further Examples ...................................................................................................15
– 2
DEEP – AWS WAF Rules Management
• Introduction(see page 4)
• Shared Responsibility Model(see page 5)
• Usage(see page 6)
• Associate Resources to the WAF(see page 6)
• Monitor Counted or Blocked Traffic Requests(see page 6)
• Add Rules using the DEEP WAF Rule Provider(see page 8)
• Security Guidelines to Create Rules to Whitelist Legitimate Traffic(see page 10)
• Whitelist Parameters rather than URLs(see page 10)
• Narrow rule scope as much as possible(see page 13)
• Further Examples(see page 15)
– 3
DEEP – AWS WAF Rules Management
1 Introduction
Amazon Web Services allows customers to deploy a Web Application Firewall (WAF) that helps protecting web
applications or APIs against common web exploits and bots that may affect availability, compromise security, or
consume excessive resources. WAF gives control over to the customer of which traffic reaches their web
applications or API by enabling a set of rules that block traffic that otherwise would represent a security threat or
may compromise the system availability. In DEEP, the WAF management is accomplished by using Firewall
Manager's security policies, which deploys an ACL automatically to every new product created. This ensures a
scalable approach to the WAF Management for the whole organisation.
Introduction – 4
DEEP – AWS WAF Rules Management
1 Default - Default Action for Requests that do not trigger Allow DEEP
Action any rule
3 Rules Defined by the Rules to be added by the customer using the Defined Custom
customer WAF Rule Provider. by the er
Custome
r
Excluded Rules
AWSManagedRulesCommonRuleSet
• NoUserAgent_HEADER
• SizeRestrictions_QUERYSTRING
• SizeRestrictions_Cookie_HEADER
• SizeRestrictions_BODY
• SizeRestrictions_URIPATH
3 Usage
Usage – 6
DEEP – AWS WAF Rules Management
• WAF Sampled Requests - Go to AWS Console > WAF&Shield > Web ACLs > Choose the region of the Web ACL
> Choose the ACL that has as the suffix the environment of the product > Analyze the Sampled Requests and
action triggered on those requests with a maximum window of 3 hours.
Usage – 7
DEEP – AWS WAF Rules Management
1 provider "wafrule" {
2 region = "eu-west-1"
3 }
• Include the source and the version required in the required_providers section:
1 terraform {
2 required_providers {
3 wafrule = {
4 source = "PMI-DEEP-Infra/wafrule"
5 version = "~> 1.0.1"
6 }
7 }
8 required_version = ">= 0.13"
9 }
To get the waf_acl_name and waf_acl_id go to > AWS Console > WAF&Shield > Web ACLs > Choose the region of the
Web ACL > Choose the ACL that has as the suffix the environment of the product > Copy the Web ACL name (In the
left) and Web ACL ID
Usage – 8
DEEP – AWS WAF Rules Management
In order to create the rules, one should use the syntax defined by the rule block in the AWS wafv2_web_acl
resource1.
1 https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl
Usage – 9
DEEP – AWS WAF Rules Management
Expected action: Whitelist test2 parameter e.g. by creating a regular expression which would allow everything
which starts with <xml> tag and ends with </xml> tag.
Not expected actions:
• Whitelist /invoices URL
• Whitelist test and test2 parameters
• Whitelist IP addresses from 10.0.0.0/8
• Whitelist Geographical region
Then, after creating aws_wafv2_regex_pattern_set3, one has to create the WAF Rule using the
resource wafrule_acl_rule. Because we want the WAF ACL to allow requests specifically containing the parameter
test2 containing an XML script, we create a rule block with the
statement regex_pattern_set_reference_statement with the specific field_to_match to analyse the requests' test2
parameter. If the test2 parameter corresponds to the "<xml> <any text> </xml>" regular exception, which is the
regex pattern defined previously, we trigger the action described in the action section, which is allow.
2 https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_regex_pattern_set
3 https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_regex_pattern_set
For system to system communication use source IP address to narrow the scope
Example: We observe that WAF raises Cross Site Scripting (XSS) alert. Logs say that this is triggered by this URL:
https://www.example.com/invoices?test=abc&test2=<xml>test</xml>(see page 3)
Analysis of parameters’ values gives us a reasonable suspicion that value passed in test2 parameter triggers a rule.
Analysis of source IP address shows us that this is some other PMI system calling a web service.
Expected action: Whitelist test2 parameter for all the requests coming from IP address of a given system.
Not expected actions:
• Whitelist /invoices URL
• Whitelist test2 parameter without IP restriction
• Whitelist IP addresses from 10.0.0.0/8
• Whitelist Geographical region
Then, we create a statement containing an and_statement so that both the statements: test2 containing an XML
and origin IP from a specific system be evaluated and must be true in order for the ACL to allow the request. For the
second statement that analyzes origin IP, we use the ip_set_reference_statement that uses the
created aws_wafv2_ip_set to check if the origin IP is from a specific system.
33 }
34 }
35
36 visibility_config {
37 cloudwatch_metrics_enabled = true
38 metric_name = "WhitelistParameterContainingXMLRuleAndIP"
39 sampled_requests_enabled = false
40 }
41 }
42 }
Then, in order for the ACL to check for the URL Path, we create the regex_pattern_set_reference_statement inside
the statement block pointing to the previously created regular expression aws_wafv2_regex_pattern_set and we
add the field_to_match equals to uri_path so that the ACL matches the Uri_path of requests to the regex test.log.
4 https://eur03.safelinks.protection.outlook.com/?
url=https%3A%2F%2Fwww.example.com%2Ftest.log&data=04%7C01%7CPedro.Raminhas%40pmi.com%7Cc04b548577e14595016008d93668dd
cc%7C8b86a65e3c3a44068ac319a6b5cc52bc%7C0%7C0%7C637600646286942669%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJ
QIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4CGtfcQdCgGBSHUO7s0CnK20Ky0A6639JgyCuFTK3Ro%3D&reserved=0
5 Further Examples
Example: Restrict Requests to a set of Geographical Locations.
In order to restrict the Geographical location of some requests and since the default action of the WAF ACL is
"allow". One has to create a rule with action block containing a not_statement inside the statement block with the
allowed countries. This way, the WAF is blocking all the requests originated from countries not in the allowed
countries set.
Troubleshooting
Here is a List of common compiling errors:
• Use only one wafrule_acl_rule object per Web ACL with multiple rule blocks if needed
• Do not use the same priorities within the set of rules of the same Web ACL
Further Examples – 15
DEEP – AWS WAF Rules Management
In case of any question or doubt, please contact us using DEEP Portal5 or Teams channel6.
5 https://eur03.safelinks.protection.outlook.com/?
url=https%3A%2F%2Fportal.pmideep.com%2F%23%2F&data=04%7C01%7CPedro.Raminhas%40pmi.com%7C47a1fc2fe591456b248f08d93ca49
43c%7C8b86a65e3c3a44068ac319a6b5cc52bc%7C0%7C0%7C637607499853158493%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLC
JQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OC7rspbzSkU3wIM9OJMqKeWoG832MYm%2Bi0sdR0Yp10w%3D&reserved=0
6 https://eur03.safelinks.protection.outlook.com/?
url=https%3A%2F%2Fteams.microsoft.com%2Fl%2Fteam%2F19%253a28548bf94b18418cae8213281900de29%2540thread.tacv2%2Fconversatio
ns%3FgroupId%3D066b6e76-9e53-458f-afa3-
d2291e00fb7f%26tenantId%3D8b86a65e-3c3a-4406-8ac3-19a6b5cc52bc&data=04%7C01%7CPedro.Raminhas%40pmi.com%7C47a1fc2fe591456
b248f08d93ca4943c%7C8b86a65e3c3a44068ac319a6b5cc52bc%7C0%7C0%7C637607499853168488%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM
C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=vGOQxVISgiRS8KlT6JyYQ5GR5iv%2FEMt5bQIKtGzW1cg%3D
&reserved=0
Further Examples – 16