![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2023-02-06
介紹
核心功能
- Allow all requests except the ones that you specify
- Block all requests except the ones that you specify
- Count requests that match your criteria
- Run CAPTCHA checks against requests that match your criteria
結構
- Application Load Balancer + WAF
- CloudFront + WAF
Rules
Web ACLs -protect-> AWS resources
associate it with one or more AWS resources.
The relationship between web ACL and AWS resources is one-to-many.
(same resource type)
Rules
Each rule contains a statement that defines the inspection criteria, and an action to take
Rules groups
- AWS Managed Rules
- AWS Marketplace sellers
- your own rule groups
web ACL capacity units (WCU)
calculate and control the operating resources that are required to run your rules
Default: 1,500
Pricing
- Web ACL USD $5/mo(prorated houly)
- Rule $1/mo(prorated houly)
- million requests $0.6
目錄
- AWS Managed Rules
AWS Managed Rules
Managed Rules 分類
- Baseline rule groups (CRS, admin, ...)
- Use-case specific rule groups (SQL, PHP, Linux, Win, ...)
- IP reputation rule groups
-
AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group
(registration and account creation endpoints) -
AWS WAF Fraud Control account takeover prevention (ATP) rule group
(login endpoint) -
AWS WAF Bot Control rule group
(web scraping frameworks, search engines, and automated browsers)
Rules
AWSManagedRulesAmazonIpReputationList (WCU: 25)
rules that are based on Amazon internal threat intelligence.
to block IP addresses typically associated with bots or other threats.
AWSManagedRulesAnonymousIpList (WCU: 50)
The Anonymous IP list rule group contains rules to block requests from services that permit the obfuscation of viewer identity.
These include requests from VPNs, proxies, Tor nodes, and web hosting providers.
AWSManagedRulesAdminProtectionRuleSet (WCU: 100)
URL
- /admin
AWSManagedRulesPHPRuleSet (WCU: 100)
block request patterns associated with the exploitation of vulnerabilities specific to the use of the PHP programming language,
including injection of unsafe PHP functions.
其他 Rules List: Link
Log 的 Field
- terminatingRuleId: i.e. AWS-AWSManagedRulesAnonymousIpList
- "httpSourceName":"CF"
- httpSourceId: Cloudfront 的 ID
- httpRequest -> clientIp
- headers -> Host
Redact log field
If you don't want certain fields and their values included in the logs, redact those fields.
Filter logs
By action (Block, CAPTCHA ...)
Default logging behavior: Keep / Drop
To troubleshoot a 403 Forbidden error
重點: 要知道那條 WAF rule block 了 request
方法:
- Sampled requests (不是 realtime, 只可以跟進進去 3 hrs 的問題)
- WAF logs (S3: 沒有 search, 要知大約問題時間才跟到)
Sampled requests
只有 10 分鐘前過去 3 小時的 log
AWS WAF logs
* 每 5 分鐘 save 到 S3 (00, 05, 10, ...)
* 00 代表 00:00~04:59 的 log
* 00 內有機會有多個 gz 的 log 檔
* timestamp 的 unit 係 ms 而不是 sec
Labels on web requests
A label is metadata added to a web request by a matching rule.
You can use labels to communicate rule match results to rules that are evaluated later in the same web ACL.
Change Rule Priority
Edit 一次 rules 後, 最尾時會問 Priority
Logging
它支援 log 到 S3, CloudWatch, Kinesis
駁 Cloudfront 的情況
- S3 Bocket Name: aws-waf-logs-X
- AWS Region: us-east-1
Cancel the subscription
1. AWS Marketplace console
2. Manage subscriptions
3. YOUR "subscriptions"
4. Agreement > Cancel subscription
Rules
AWSManagedRulesCommonRuleSet
CrossSiteScripting_BODY
The limit is 8 KB for regional web ACLs and 16 KB for CloudFront web ACLs.
This rule uses the Continue option for oversize content handling.
SizeRestrictions_BODY
Inspects for request bodies that are over 8 KB (8,192 bytes).
Querying AWS WAF logs