AWS Waf 및 Shield를 사용하여 DDoS 보호
- AWS Shield 및 웹 애플리케이션 방화벽(WAF)은 모두 AWS 네트워크에 경계 방어를 제공하는 제품입니다.
- Shield는 DDOS 보호 기능을 제공하고 WAF는 Layer 7 애플리케이션 방화벽입니다.
- 참조: https://www.cloudflare.com/en-au/learning/ddos/what-is-a-ddos-attack/
- CDK를 사용하여 예상 규칙으로 AWS WAF를 생성하고 이를 ALB에 연결할 수 있습니다.
이 문서의 내용
🚀 WAF CDK 프로젝트 초기화
⚡ $ mkdir waf_alb
⚡ $ cd waf_alb
⚡ $ cdk init -l python
🚀 코드 스택 작성
RuleProperty
에서 OverrideActionProperty
를 count
로 설정하여 규칙이 웹 요청과 일치하는 경우 일치 항목만 계산합니다. VisibilityConfig
.범위:
REGIONAL
대 CLOUDFRONT
aws wafv2 list-available-managed-rule-groups --scope REGIONAL
from aws_cdk import (
aws_cloudformation as cfn,
aws_wafv2 as waf,
core,
)
class WafStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, env, target_arn, **kwargs) -> None:
super().__init__(scope, id, env=env, **kwargs)
waf_rules = list()
""" 1. Reputation List """
aws_ip_rep_list = waf.CfnWebACL.RuleProperty(
name='WafIpreputation',
priority=1,
override_action=waf.CfnWebACL.OverrideActionProperty(count={}),
statement=waf.CfnWebACL.StatementOneProperty(
managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
name='AWSManagedRulesAmazonIpReputationList',
vendor_name='AWS',
excluded_rules=[]
)
),
visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
cloud_watch_metrics_enabled=True,
metric_name='aws_reputation',
sampled_requests_enabled=True,
)
)
waf_rules.append(aws_ip_rep_list)
""" 2. AnonymousIpList """
aws_anony_list = waf.CfnWebACL.RuleProperty(
name='WafAnony',
priority=2,
override_action=waf.CfnWebACL.OverrideActionProperty(count={}),
statement=waf.CfnWebACL.StatementOneProperty(
managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
name='AWSManagedRulesAnonymousIpList',
vendor_name='AWS',
excluded_rules=[]
)
),
visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
cloud_watch_metrics_enabled=True,
metric_name='aws_anony',
sampled_requests_enabled=True,
)
)
waf_rules.append(aws_anony_list)
""" 3. CommonRule """
aws_common_rule = waf.CfnWebACL.RuleProperty(
name='WafCommonRule',
priority=3,
override_action=waf.CfnWebACL.OverrideActionProperty(count={}),
statement=waf.CfnWebACL.StatementOneProperty(
managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
name='AWSManagedRulesCommonRuleSet',
vendor_name='AWS',
excluded_rules=[]
)
),
visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
cloud_watch_metrics_enabled=True,
metric_name='aws_common',
sampled_requests_enabled=True,
)
)
waf_rules.append(aws_common_rule)
""" 4. PHP Rule """
aws_php_rule = waf.CfnWebACL.RuleProperty(
name='WafPHPRule',
priority=4,
override_action=waf.CfnWebACL.OverrideActionProperty(count={}),
statement=waf.CfnWebACL.StatementOneProperty(
managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
name='AWSManagedRulesPHPRuleSet',
vendor_name='AWS',
excluded_rules=[]
)
),
visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
cloud_watch_metrics_enabled=True,
metric_name='aws_php',
sampled_requests_enabled=True,
)
)
waf_rules.append(aws_php_rule)
""" 5. Linux Rule """
aws_linux_rule = waf.CfnWebACL.RuleProperty(
name='WafLinuxRule',
priority=5,
override_action=waf.CfnWebACL.OverrideActionProperty(count={}),
statement=waf.CfnWebACL.StatementOneProperty(
managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
name='AWSManagedRulesLinuxRuleSet',
vendor_name='AWS',
excluded_rules=[]
)
),
visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
cloud_watch_metrics_enabled=True,
metric_name='aws_linux',
sampled_requests_enabled=True,
)
)
waf_rules.append(aws_linux_rule)
""" DefaultAction: Action of AWS WAF to perform when a web request doesn't match any of the rules in the WebACL. """
web_acl = waf.CfnWebACL(
self, 'WebACL',
default_action=waf.CfnWebACL.DefaultActionProperty(
allow={}
),
scope="REGIONAL", # vs 'CLOUDFRONT'
visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
cloud_watch_metrics_enabled=True,
metric_name='webACL',
sampled_requests_enabled=True
),
name=f'prod-acl',
rules=waf_rules
)
""" Associate it with the resource provided. """
waf.CfnWebACLAssociation(self, 'WAFACLAssociateALB',
web_acl_arn=web_acl.attr_arn,
resource_arn=target_arn
)
🚀 스택 배포
⚡ $ cdk ls
theWalACLAlblon
⚡ $ cdk deploy
theWalACLAlblon: deploying...
theWalACLAlblon: creating CloudFormation changeset...
[██████████████████████████████████████████████████████████] (4/4)
✅ theWalACLAlblon
Stack ARN:
arn:aws:cloudformation:eu-west-2:111111111111:stack/theWalACLAlblon/fbe06250-740f-11eb-9c9f-0685bc814060
· Github · 편물 · · · 페이지 ·
Reference
이 문제에 관하여(AWS Waf 및 Shield를 사용하여 DDoS 보호), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://dev.to/vumdao/using-aws-waf-and-shield-to-protect-ddos-5d03텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)