AWS Waf 및 Shield를 사용하여 DDoS 보호

8820 단어 devopsawswafcloudopz


- AWS Shield 및 웹 애플리케이션 방화벽(WAF)은 모두 AWS 네트워크에 경계 방어를 제공하는 제품입니다.



- Shield는 DDOS 보호 기능을 제공하고 WAF는 Layer 7 애플리케이션 방화벽입니다.



- 참조: https://www.cloudflare.com/en-au/learning/ddos/what-is-a-ddos-attack/



- CDK를 사용하여 예상 규칙으로 AWS WAF를 생성하고 이를 ALB에 연결할 수 있습니다.




이 문서의 내용


  • Init WAF CDK Project
  • Write code stack
  • Deploy stacks



  • 🚀 WAF CDK 프로젝트 초기화




    ⚡ $ mkdir waf_alb
    ⚡ $ cd waf_alb
    ⚡ $ cdk init -l python
    


    🚀 코드 스택 작성


  • RuleProperty 에서 OverrideActionPropertycount로 설정하여 규칙이 웹 요청과 일치하는 경우 일치 항목만 계산합니다.
  • Amazon CloudWatch 지표 및 웹 요청 샘플 수집을 정의하고 활성화하기 위해 활성화합니다VisibilityConfig.

  • 범위: REGIONALCLOUDFRONT
  • 지역: 지역 애플리케이션은 ALB(Application Load Balancer), Amazon API Gateway REST API 또는 AWS AppSync GraphQL API일 수 있습니다
  • .
  • 클라우드프론트

  • 사용 가능한 관리형 규칙 그룹을 가져오는 방법:

  • aws wafv2 list-available-managed-rule-groups --scope REGIONAL
    


  • 코드: https://github.com/vumdao/waf-alb/waf_alb_stack.py

  • from aws_cdk import (
        aws_cloudformation as cfn,
        aws_wafv2 as waf,
        core,
    )
    
    
    class WafStack(core.Stack):
    
        def __init__(self, scope: core.Construct, id: str, env, target_arn, **kwargs) -> None:
            super().__init__(scope, id, env=env, **kwargs)
    
            waf_rules = list()
    
            """ 1. Reputation List """
            aws_ip_rep_list = waf.CfnWebACL.RuleProperty(
                name='WafIpreputation',
                priority=1,
                override_action=waf.CfnWebACL.OverrideActionProperty(count={}),
                statement=waf.CfnWebACL.StatementOneProperty(
                    managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
                        name='AWSManagedRulesAmazonIpReputationList',
                        vendor_name='AWS',
                        excluded_rules=[]
                    )
                ),
                visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
                    cloud_watch_metrics_enabled=True,
                    metric_name='aws_reputation',
                    sampled_requests_enabled=True,
                )
            )
            waf_rules.append(aws_ip_rep_list)
    
            """ 2. AnonymousIpList """
            aws_anony_list = waf.CfnWebACL.RuleProperty(
                name='WafAnony',
                priority=2,
                override_action=waf.CfnWebACL.OverrideActionProperty(count={}),
                statement=waf.CfnWebACL.StatementOneProperty(
                    managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
                        name='AWSManagedRulesAnonymousIpList',
                        vendor_name='AWS',
                        excluded_rules=[]
                    )
                ),
                visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
                    cloud_watch_metrics_enabled=True,
                    metric_name='aws_anony',
                    sampled_requests_enabled=True,
                )
            )
            waf_rules.append(aws_anony_list)
    
            """ 3. CommonRule """
            aws_common_rule = waf.CfnWebACL.RuleProperty(
                name='WafCommonRule',
                priority=3,
                override_action=waf.CfnWebACL.OverrideActionProperty(count={}),
                statement=waf.CfnWebACL.StatementOneProperty(
                    managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
                        name='AWSManagedRulesCommonRuleSet',
                        vendor_name='AWS',
                        excluded_rules=[]
                    )
                ),
                visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
                    cloud_watch_metrics_enabled=True,
                    metric_name='aws_common',
                    sampled_requests_enabled=True,
                )
            )
            waf_rules.append(aws_common_rule)
    
            """ 4. PHP Rule """
            aws_php_rule = waf.CfnWebACL.RuleProperty(
                name='WafPHPRule',
                priority=4,
                override_action=waf.CfnWebACL.OverrideActionProperty(count={}),
                statement=waf.CfnWebACL.StatementOneProperty(
                    managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
                        name='AWSManagedRulesPHPRuleSet',
                        vendor_name='AWS',
                        excluded_rules=[]
                    )
                ),
                visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
                    cloud_watch_metrics_enabled=True,
                    metric_name='aws_php',
                    sampled_requests_enabled=True,
                )
            )
            waf_rules.append(aws_php_rule)
    
            """ 5. Linux Rule """
            aws_linux_rule = waf.CfnWebACL.RuleProperty(
                name='WafLinuxRule',
                priority=5,
                override_action=waf.CfnWebACL.OverrideActionProperty(count={}),
                statement=waf.CfnWebACL.StatementOneProperty(
                    managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
                        name='AWSManagedRulesLinuxRuleSet',
                        vendor_name='AWS',
                        excluded_rules=[]
                    )
                ),
                visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
                    cloud_watch_metrics_enabled=True,
                    metric_name='aws_linux',
                    sampled_requests_enabled=True,
                )
            )
            waf_rules.append(aws_linux_rule)
    
            """ DefaultAction: Action of AWS WAF to perform when a web request doesn't match any of the rules in the WebACL. """
            web_acl = waf.CfnWebACL(
                self, 'WebACL',
                default_action=waf.CfnWebACL.DefaultActionProperty(
                    allow={}
                ),
                scope="REGIONAL",  # vs 'CLOUDFRONT'
                visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
                    cloud_watch_metrics_enabled=True,
                    metric_name='webACL',
                    sampled_requests_enabled=True
                ),
                name=f'prod-acl',
                rules=waf_rules
            )
    
            """ Associate it with the resource provided. """
            waf.CfnWebACLAssociation(self, 'WAFACLAssociateALB',
                                     web_acl_arn=web_acl.attr_arn,
                                     resource_arn=target_arn
                                     )
    


    🚀 스택 배포




    ⚡ $ cdk ls
    theWalACLAlblon
    
    ⚡ $ cdk deploy 
    theWalACLAlblon: deploying...
    theWalACLAlblon: creating CloudFormation changeset...
    [██████████████████████████████████████████████████████████] (4/4)
    
    
     ✅  theWalACLAlblon
    
    Stack ARN:
    arn:aws:cloudformation:eu-west-2:111111111111:stack/theWalACLAlblon/fbe06250-740f-11eb-9c9f-0685bc814060
    


  • 요청:
  • 규칙:
  • 준회원 ALB
  • Cloudwatch 지표

  • · Github · 편물 · · · 페이지 ·

    좋은 웹페이지 즐겨찾기