WAF - 웹 애플리케이션 방화벽

WAF는 SQL 주입, 사이트 간 스크립팅, 사이트 간 요청 위조 등과 같은 일반적인 보안 공격으로부터 웹 애플리케이션 및 API를 보호하는 데 자주 사용됩니다.
귀중한 방어 계층을 추가하고 팀이 애플리케이션의 취약성을 패치할 시간을 더 많이 줄 수 있습니다.
또한 알려진 취약점 악용 속도를 높이고 비용을 줄일 수 있을 뿐만 아니라 의심스러운 사용자 활동에 대한 조기 경고 시스템 역할을 할 수 있습니다.

배포 옵션에는 AWS WAF를 다음에 연결하는 것이 포함됩니다.

CloudFront 배포
API 게이트웨이 ALB
AppSync
GraphQL API

WAF를 구성하려면 WebACL을 프로비저닝한 다음 이를 API에 연결해야 합니다. 최소한 필요한 리소스는 다음과 같습니다.

AWS::WAFv2::WebACL
AWS::WAFv2::WebACLAssociation

WebACL:
  Type: "AWS::WAFv2::WebACL"
  Properties:
    Name: WebACLSQLi
    Scope: REGIONAL
    Description: Web ACL to block SQL injection
    DefaultAction:
      Allow: {}
    VisibilityConfig:
      SampledRequestsEnabled: true
      CloudWatchMetricsEnabled: true
      MetricName: MyMetricName
    Rules:
      - Name: SQLInject-RuleSet
        Priority: 0
        Statement:
          ManagedRuleGroupStatement:
            VendorName: AWS
            Name: AWSManagedRulesSQLiRuleSet
        OverrideAction:
          None: {}
        VisibilityConfig:
          SampledRequestsEnabled: true
          CloudWatchMetricsEnabled: true
          MetricName: SQLInjection-ruleset-metric

WebACLAssociation:
  Type: "AWS::WAFv2::WebACLAssociation"
  Properties:
    WebACLArn: !GetAtt WebACL.Arn
    ResourceArn: !Ref ApiARN

ALB용 webacl 리소스를 배포하기 위한 Cloudformation 스택

AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template defines Web ACL resources
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: Resources
      Parameters:
      - albARN
    - Label:
        default: Names
      Parameters:
      - tagName
      - tagNamePrefix
    ParameterLabels:
      albARN:
        default: ALB ARN
      tagName:
        default: Name Tag
      tagNamePrefix:
        default: Name Prefix
Parameters:
  albARN:
    Description: ARN for the Application Load Balancer
    Type: String
    MinLength: '30'
    MaxLength: '180'
    ConstraintDescription: must be a valid ARN of Application Load Balancer.
  tagName:
    Type: String
    Description: Name tag value
    MinLength: '5'
    MaxLength: '25'
    Default: Default
  tagNamePrefix:
    Description: The prefix for use in Name tag values
    Type: String
    MinLength: '5'
    MaxLength: '25'
    Default: default
Resources:
  webAcl:
    Type: AWS::WAFv2::WebACL
    Properties:
      Description: Web ACL for Application Load Balancer of Elastic Beanstalk
      Name:
        Fn::Sub: "${tagNamePrefix}-web-owasp"
      DefaultAction:
        Allow: {}
      Rules:
      - Name: AWS-CRS
        Priority: 0
        Statement:
          ManagedRuleGroupStatement:
            VendorName: AWS
            Name: AWSManagedRulesCommonRuleSet
            ExcludedRules: []
        OverrideAction:
          None: {}
        VisibilityConfig:
          SampledRequestsEnabled: true
          CloudWatchMetricsEnabled: true
          MetricName:
            Fn::Sub: "${tagNamePrefix}-aws-crs-metric"
      - Name: Bad-Inputs
        Priority: 1
        Statement:
          ManagedRuleGroupStatement:
            VendorName: AWS
            Name: AWSManagedRulesKnownBadInputsRuleSet
            ExcludedRules: []
        OverrideAction:
          None: {}
        VisibilityConfig:
          SampledRequestsEnabled: true
          CloudWatchMetricsEnabled: true
          MetricName:
            Fn::Sub: "${tagNamePrefix}-bad-inputs-metric"
      - Name: Anonymous-IpList
        Priority: 2
        Statement:
          ManagedRuleGroupStatement:
            VendorName: AWS
            Name: AWSManagedRulesAnonymousIpList
            ExcludedRules: []
        OverrideAction:
          None: {}
        VisibilityConfig:
          SampledRequestsEnabled: true
          CloudWatchMetricsEnabled: true
          MetricName:
            Fn::Sub: "${tagNamePrefix}-anonymous-iplist-metric"
      - Name: Windows-RuleSet
        Priority: 3
        Statement:
          ManagedRuleGroupStatement:
            VendorName: AWS
            Name: AWSManagedRulesWindowsRuleSet
        OverrideAction:
          None: {}
        VisibilityConfig:
          SampledRequestsEnabled: true
          CloudWatchMetricsEnabled: true
          MetricName:
            Fn::Sub: "${tagNamePrefix}-windows-ruleset-metric"
      - Name: SQLInject-RuleSet
        Priority: 4
        Statement:
          ManagedRuleGroupStatement:
            VendorName: AWS
            Name: AWSManagedRulesSQLiRuleSet
        OverrideAction:
          None: {}
        VisibilityConfig:
          SampledRequestsEnabled: true
          CloudWatchMetricsEnabled: true
          MetricName:
            Fn::Sub: "${tagNamePrefix}-SQLinjection-ruleset-metric"
      Scope: REGIONAL
      Tags:
      - Key: Name
        Value:
          Fn::Sub: "${tagName} OWASP Web ACL"
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName:
          Fn::Sub: "${tagNamePrefix}-web-owasp-metric"
  cloudwatchLogsGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName:
        Fn::Sub: aws-waf-logs-${tagNamePrefix}-web-owasp
      RetentionInDays: 180
  webAcllogging:
    Type: AWS::WAFv2::LoggingConfiguration
    Properties:
      ResourceArn:
        Fn::GetAtt:
        - webAcl
        - Arn
      LogDestinationConfigs:
      - Fn::Sub: arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws-waf-logs-${tagNamePrefix}-web-owasp
      LoggingFilter:
        DefaultBehavior: KEEP
        Filters:
        - Behavior: KEEP
          Conditions:
          - ActionCondition:
              Action: BLOCK
          Requirement: MEETS_ANY
      RedactedFields:
      - SingleHeader:
          Name: password
  albWebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn:
        Ref: albARN
      WebACLArn:
        Fn::GetAtt:
        - webAcl
        - Arn
Outputs:
  OWASPWebAclARN:
    Description: ARN of WebACL
    Value:
      Fn::GetAtt:
      - webAcl
      - Arn
  CloudwatchLogsGroupARN:
    Description: ARN of CloudWatch Logs Group
    Value:
      Fn::GetAtt:
      - cloudwatchLogsGroup
      - Arn