AWS WAF Rules Management

DEEP

Exported on 01/28/2022
 DEEP – AWS WAF Rules Management

Table of Contents
1 Introduction .............................................................................................................4
2 Shared Responsibility Model...................................................................................5
3 Usage ........................................................................................................................6
3.1 Associate Resources to the WAF....................................................................................................6
3.2 Monitor Counted or Blocked Traffic Requests..............................................................................6
3.3 Add Rules using the DEEP WAF Rule Provider ..............................................................................8
4 Security Guidelines to Create Rules to Whitelist Legitimate Traffic....................10
4.1 Whitelist Parameters rather than URLs ......................................................................................10
4.2 Narrow rule scope as much as possible......................................................................................13
5 Further Examples ...................................................................................................15

– 2
 DEEP – AWS WAF Rules Management

• Introduction(see page 4)
• Shared Responsibility Model(see page 5)
• Usage(see page 6)
• Associate Resources to the WAF(see page 6)
• Monitor Counted or Blocked Traffic Requests(see page 6)
• Add Rules using the DEEP WAF Rule Provider(see page 8)
• Security Guidelines to Create Rules to Whitelist Legitimate Traffic(see page 10)
• Whitelist Parameters rather than URLs(see page 10)
• Narrow rule scope as much as possible(see page 13)
• Further Examples(see page 15)

– 3
 DEEP – AWS WAF Rules Management

1 Introduction
Amazon Web Services allows customers to deploy a Web Application Firewall (WAF) that helps protecting web
applications or APIs against common web exploits and bots that may affect availability, compromise security, or
consume excessive resources. WAF gives control over to the customer of which traffic reaches their web
applications or API by enabling a set of rules that block traffic that otherwise would represent a security threat or
may compromise the system availability. In DEEP, the WAF management is accomplished by using Firewall
Manager's security policies, which deploys an ACL automatically to every new product created. This ensures a
scalable approach to the WAF Management for the whole organisation.

Introduction – 4
 DEEP – AWS WAF Rules Management

2 Shared Responsibility Model

WAF Management is a shared responsibility between the DEEP Team and customer. DEEP Team is responsible to
ensure that every account has in place the WAF Web ACL with the rules defined by ISDP and by default, for
products containing an ALB created by DEEP, the public ALB is associated to the correct ACL. The Default rule
settings enforced by ISDP are the following:

Rule/ Contained Rules Description Action Respon

Action sible

1 Default - Default Action for Requests that do not trigger Allow DEEP
Action any rule

2 First AWSManagedRulesAma First rules to be evaluated, defined by ISDP Defined DEEP

Rule zonIpReputationList and enforced by Firewall Manager. Rules by the
Group cannot be modified by the customer. rule

3 Rules Defined by the Rules to be added by the customer using the Defined Custom
customer WAF Rule Provider. by the er
Custome
r

4 Last AWSManagedRulesAno Last rules to be evaluated, defined by ISDP Defined DEEP

Rule nymousIpList and enforced by Firewall Manager. Rules by the
Group cannot be modified by the customer. rule

5 Last AWSManagedRulesKno Last rules to be evaluated, defined by ISDP Defined DEEP

Rule wnBadInputsRuleSet and enforced by Firewall Manager. Rules by the
Group cannot be modified by the customer. rule

6 Last AWSManagedRulesCo Last rules to be evaluated, defined by ISDP Defined DEEP

Rule mmonRuleSet and enforced by Firewall Manager. Rules by the
Group excluding rules cannot be modified by the customer. rule
depicted in "excluded
rules"

Excluded Rules
AWSManagedRulesCommonRuleSet
• NoUserAgent_HEADER
• SizeRestrictions_QUERYSTRING
• SizeRestrictions_Cookie_HEADER
• SizeRestrictions_BODY
• SizeRestrictions_URIPATH

Shared Responsibility Model – 5

 DEEP – AWS WAF Rules Management

3 Usage

3.1 Associate Resources to the WAF

Currently, AWS WAF can be deployed on Amazon CloudFront, the Application Load Balancer (ALB), Amazon API
Gateway, and AWS AppSync.
For products with public facing ALB, DEEP by default already associates the ALB to the WAF. If customers want to
associate their resources to the WAF, just add the following tag to resource and if the resource is not associated
with other Web ACL, the WAF will automatically associate the resource to the WAF ACL.

Tag Description Ty Value A API CloudFr AWS

pe L Gateway ont AppSync
B

1 WAFA Specifies to which WAF Str fm_waf_acl_ x x x x

CLSc environment should a resource in <$environmn
ope be associated to g et>

3.2 Monitor Counted or Blocked Traffic Requests

Since in each WAF ACL we are enforcing a set of rules defined by ISDP, customers can check if some of their traffic is
currently blocked (Action = BLOCK) or if the traffic is being counted, which means that the default action of the rule
is BLOCK but we are allowing the request and counting it.
In order to check these metrics, customers can check:
• CloudWatch Metrics - Go to AWS Console > CloudWatch > Metrics > WAFV2 > Region, Rule, WebACL and by
selecting the required rule and Metric Name - AllowedRequests, CountedRequests or BlockedRequests, one
can check how many requests and at which time they were received.

Usage – 6
 DEEP – AWS WAF Rules Management

• WAF Sampled Requests - Go to AWS Console > WAF&Shield > Web ACLs > Choose the region of the Web ACL
> Choose the ACL that has as the suffix the environment of the product > Analyze the Sampled Requests and
action triggered on those requests with a maximum window of 3 hours.

Usage – 7
 DEEP – AWS WAF Rules Management

3.3 Add Rules using the DEEP WAF Rule Provider

If customers detect that legitimate traffic is being blocked, they must refer to the section of Security Guidelines to
Create Rules to Whitelist Legitimate Traffic to create a rule to whitelist the legitimate traffic.
The rules are created in the resources workspace recurring to the WAF Rule Provider created by DEEP-Infra. In order
to use it, follow the steps:
• Include the WAF Rule provider:

1 provider "wafrule" {
2 region = "eu-west-1"
3 }

• Include the source and the version required in the required_providers section:

1 terraform {
2 required_providers {
3 wafrule = {
4 source = "PMI-DEEP-Infra/wafrule"
5 version = "~> 1.0.1"
6 }
7 }
8 required_version = ">= 0.13"
9 }

• Create the required rules using the wafrule_acl_rule resource:

1 resource "wafrule_acl_rule" "waf_rules" {

2 waf_acl_name = "<Replace with Web ACL Name>"
3 waf_acl_id = "<Replace with Web ACL ID>"
4
5 rule {
6 # Place rules here
7 }
8 }

To get the waf_acl_name and waf_acl_id go to > AWS Console > WAF&Shield > Web ACLs > Choose the region of the
Web ACL > Choose the ACL that has as the suffix the environment of the product > Copy the Web ACL name (In the
left) and Web ACL ID

Usage – 8
 DEEP – AWS WAF Rules Management

In order to create the rules, one should use the syntax defined by the rule block in the AWS wafv2_web_acl
resource1.

1 https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl

Usage – 9
 DEEP – AWS WAF Rules Management

4 Security Guidelines to Create Rules to Whitelist Legitimate

Traffic
Here is a list of guidelines created by ISDP that customers can follow:

4.1 Whitelist Parameters rather than URLs

Example: Visiting following URL results in Cross Site Scripting (XSS) rule being triggered by WAF:
https://www.example.com/invoices?test=abc&test2=<xml>test</xml>(see page 3)
Analysis of parameters’ values gives us a reasonable suspicion that value passed in test2 parameter triggers a rule.

Expected action: Whitelist test2 parameter e.g. by creating a regular expression which would allow everything
which starts with <xml> tag and ends with </xml> tag.
Not expected actions:
• Whitelist /invoices URL
• Whitelist test and test2 parameters
• Whitelist IP addresses from 10.0.0.0/8
• Whitelist Geographical region

Terraform Code Example:

Since we want the WAF ACL to detect requests' patterns in order to act upon them, we have to create a resource
aws_wafv2_regex_pattern_set2 so that the ACL could match the test2 parameter of the requests to the regular
expression (<xml>).*(<\\/xml>), which is the presence of a XML script.

1 resource "aws_wafv2_regex_pattern_set" "whitelist_parameter_containing_xml_regex" {

2 name = "whitelist_parameter_containing_xml_regex"
3 description = "Regex that detects pattern of parameter containing xml"
4 scope = "REGIONAL"
5
6 regular_expression {
7 regex_string = "(<xml>).*(<\\/xml>)"
8 }
9 }

Then, after creating aws_wafv2_regex_pattern_set3, one has to create the WAF Rule using the
resource wafrule_acl_rule. Because we want the WAF ACL to allow requests specifically containing the parameter
test2 containing an XML script, we create a rule block with the
statement regex_pattern_set_reference_statement with the specific field_to_match to analyse the requests' test2
parameter. If the test2 parameter corresponds to the "<xml> <any text> </xml>" regular exception, which is the
regex pattern defined previously, we trigger the action described in the action section, which is allow.

2 https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_regex_pattern_set
3 https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_regex_pattern_set

Security Guidelines to Create Rules to Whitelist Legitimate Traffic – 10

 DEEP – AWS WAF Rules Management

1 resource "wafrule_acl_rule" "waf_rules" {

2 waf_acl_name = "<Replace with Web ACL Name>"
3 waf_acl_id = "<Replace with Web ACL ID>"
4
5 rule {
6 name = "WhitelistParameterContainingXMLRule"
7 priority = 0
8 action {
9 allow {}
10 }
11 statement {
12 regex_pattern_set_reference_statement {
13 arn = aws_wafv2_regex_pattern_set.whitelist_parameter_containing_xml_regex.arn
14 field_to_match {
15 single_query_argument {
16 name = "test2"
17 }
18 }
19 text_transformation {
20 priority = 0
21 type = "NONE"
22 }
23 }
24 }
25
26 visibility_config {
27 cloudwatch_metrics_enabled = true
28 metric_name = "WhitelistParameterContainingXMLRule"
29 sampled_requests_enabled = false
30 }
31 }
32 }

For system to system communication use source IP address to narrow the scope
Example: We observe that WAF raises Cross Site Scripting (XSS) alert. Logs say that this is triggered by this URL:
https://www.example.com/invoices?test=abc&test2=<xml>test</xml>(see page 3)
Analysis of parameters’ values gives us a reasonable suspicion that value passed in test2 parameter triggers a rule.
Analysis of source IP address shows us that this is some other PMI system calling a web service.

Expected action: Whitelist test2 parameter for all the requests coming from IP address of a given system.
Not expected actions:
• Whitelist /invoices URL
• Whitelist test2 parameter without IP restriction
• Whitelist IP addresses from 10.0.0.0/8
• Whitelist Geographical region

Security Guidelines to Create Rules to Whitelist Legitimate Traffic – 11

 DEEP – AWS WAF Rules Management

Terraform Code Example:

To build on top of the previous example, we want to allow requests that contain the test2 containing an XML script
coming from a certain IP address.
For that, we create the resource aws_wafv2_ip_set to describe which addresses should the WAF Rule whitelist.

1 resource "aws_wafv2_ip_set" "WhitelistingIPaddress" {

2 name = "PMISystemIPWhitelist"
3 description = "PMI IP Address to be whitelisted"
4 scope = "REGIONAL"
5 ip_address_version = "IPV4"
6 addresses = ["1.2.3.4/32"]
7 }

Then, we create a statement containing an and_statement so that both the statements: test2 containing an XML
and origin IP from a specific system be evaluated and must be true in order for the ACL to allow the request. For the
second statement that analyzes origin IP, we use the ip_set_reference_statement that uses the
created aws_wafv2_ip_set to check if the origin IP is from a specific system.

1 resource "wafrule_acl_rule" "waf_rules" {

2 waf_acl_name = "<Replace with Web ACL Name>"
3 waf_acl_id = "<Replace with Web ACL ID>"
4
5 rule {
6 name = "WhitelistParameterContainingXMLRuleAndIP"
7 priority = 0
8 action {
9 allow {}
10 }
11 statement {
12 and_statement {
13 statement {
14 regex_pattern_set_reference_statement {
15 arn = aws_wafv2_regex_pattern_set.whitelist_parameter_containing_xml_regex.arn
16 field_to_match {
17 single_query_argument {
18 name = "test2"
19 }
20 }
21 text_transformation {
22 priority = 0
23 type = "NONE"
24 }
25 }
26 }
27 statement {
28 ip_set_reference_statement {
29 arn = aws_wafv2_ip_set.WhitelistingIPaddress.arn
30 }
31 }
32

Security Guidelines to Create Rules to Whitelist Legitimate Traffic – 12

 DEEP – AWS WAF Rules Management

33 }
34 }
35
36 visibility_config {
37 cloudwatch_metrics_enabled = true
38 metric_name = "WhitelistParameterContainingXMLRuleAndIP"
39 sampled_requests_enabled = false
40 }
41 }
42 }

4.2 Narrow rule scope as much as possible

Example: Visiting following URL results in RestrictedExtensions rule being triggered by WAF:
https://www.example.com/test.log4
Analysis of URL address gives us a reasonable suspicion that rule is triggered by visiting web page with .log
extension.

Expected action: Whitelist /test.log file

Not expected actions:
• Whitelist all files with .log extension

Terraform Code Example:

First, we create the resource aws_wafv2_regex_pattern_set so that the WAF Rule can match the Requests' URI Path
to the regular expression test.log:

1 resource "aws_wafv2_regex_pattern_set" "whitelist_log_file_uri_path_regex" {

2 name = "whitelist_log_file_uri_path_regex"
3 description = "Regex that detects uri path containing test.log"
4 scope = "REGIONAL"
5
6 regular_expression {
7 regex_string = "(test.log)"
8 }
9 }

Then, in order for the ACL to check for the URL Path, we create the regex_pattern_set_reference_statement inside
the statement block pointing to the previously created regular expression aws_wafv2_regex_pattern_set and we
add the field_to_match equals to uri_path so that the ACL matches the Uri_path of requests to the regex test.log.

4 https://eur03.safelinks.protection.outlook.com/?
url=https%3A%2F%2Fwww.example.com%2Ftest.log&data=04%7C01%7CPedro.Raminhas%40pmi.com%7Cc04b548577e14595016008d93668dd
cc%7C8b86a65e3c3a44068ac319a6b5cc52bc%7C0%7C0%7C637600646286942669%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJ
QIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4CGtfcQdCgGBSHUO7s0CnK20Ky0A6639JgyCuFTK3Ro%3D&reserved=0

Security Guidelines to Create Rules to Whitelist Legitimate Traffic – 13

 DEEP – AWS WAF Rules Management

1 resource "wafrule_acl_rule" "waf_rules" {

2 waf_acl_name = "<Replace with Web ACL Name>"
3 waf_acl_id = "<Replace with Web ACL ID>"
4
5 rule {
6 name = "WhitelistLogFileUriPath"
7 priority = 0
8 action {
9 allow {}
10 }
11 statement {
12 regex_pattern_set_reference_statement {
13 arn = aws_wafv2_regex_pattern_set.whitelist_log_file_uri_path_regex.arn
14 field_to_match {
15 uri_path {}
16 }
17 text_transformation {
18 priority = 0
19 type = "NONE"
20 }
21 }
22 }
23
24 visibility_config {
25 cloudwatch_metrics_enabled = true
26 metric_name = "WhitelistLogFileUriPath"
27 sampled_requests_enabled = false
28 }
29 }
30 }

Security Guidelines to Create Rules to Whitelist Legitimate Traffic – 14

 DEEP – AWS WAF Rules Management

5 Further Examples
Example: Restrict Requests to a set of Geographical Locations.
In order to restrict the Geographical location of some requests and since the default action of the WAF ACL is
"allow". One has to create a rule with action block containing a not_statement inside the statement block with the
allowed countries. This way, the WAF is blocking all the requests originated from countries not in the allowed
countries set.

1 resource "wafrule_acl_rule" "waf_rules" {

2 waf_acl_name = "<Replace with Web ACL Name>"
3 waf_acl_id = "<Replace with Web ACL ID>"
4
5 rule {
6 name = "GeoMatchRestrictionRule"
7 priority = 0
8 action {
9 block {}
10 }
11 statement {
12 not_statement {
13 statement {
14 geo_match_statement {
15
16 country_codes = var.waf_alowed_countries
17 }
18 }
19 }
20 }
21
22 visibility_config {
23 cloudwatch_metrics_enabled = true
24 metric_name = "GeoMatchRestrictionRule"
25 sampled_requests_enabled = false
26 }
27 }
28 }

Troubleshooting
Here is a List of common compiling errors:
• Use only one wafrule_acl_rule object per Web ACL with multiple rule blocks if needed
• Do not use the same priorities within the set of rules of the same Web ACL

Further Examples – 15
 DEEP – AWS WAF Rules Management

In case of any question or doubt, please contact us using DEEP Portal5 or Teams channel6.

5 https://eur03.safelinks.protection.outlook.com/?
url=https%3A%2F%2Fportal.pmideep.com%2F%23%2F&data=04%7C01%7CPedro.Raminhas%40pmi.com%7C47a1fc2fe591456b248f08d93ca49
43c%7C8b86a65e3c3a44068ac319a6b5cc52bc%7C0%7C0%7C637607499853158493%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLC
JQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OC7rspbzSkU3wIM9OJMqKeWoG832MYm%2Bi0sdR0Yp10w%3D&reserved=0
6 https://eur03.safelinks.protection.outlook.com/?
url=https%3A%2F%2Fteams.microsoft.com%2Fl%2Fteam%2F19%253a28548bf94b18418cae8213281900de29%2540thread.tacv2%2Fconversatio
ns%3FgroupId%3D066b6e76-9e53-458f-afa3-
d2291e00fb7f%26tenantId%3D8b86a65e-3c3a-4406-8ac3-19a6b5cc52bc&data=04%7C01%7CPedro.Raminhas%40pmi.com%7C47a1fc2fe591456
b248f08d93ca4943c%7C8b86a65e3c3a44068ac319a6b5cc52bc%7C0%7C0%7C637607499853168488%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM
C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=vGOQxVISgiRS8KlT6JyYQ5GR5iv%2FEMt5bQIKtGzW1cg%3D
&reserved=0

Further Examples – 16