WAF - 웹 애플리케이션 방화벽
귀중한 방어 계층을 추가하고 팀이 애플리케이션의 취약성을 패치할 시간을 더 많이 줄 수 있습니다.
또한 알려진 취약점 악용 속도를 높이고 비용을 줄일 수 있을 뿐만 아니라 의심스러운 사용자 활동에 대한 조기 경고 시스템 역할을 할 수 있습니다.
배포 옵션에는 AWS WAF를 다음에 연결하는 것이 포함됩니다.
CloudFront 배포
API 게이트웨이 ALB
AppSync
GraphQL API
WAF를 구성하려면 WebACL을 프로비저닝한 다음 이를 API에 연결해야 합니다. 최소한 필요한 리소스는 다음과 같습니다.
AWS::WAFv2::WebACL
AWS::WAFv2::WebACLAssociation
WebACL:
Type: "AWS::WAFv2::WebACL"
Properties:
Name: WebACLSQLi
Scope: REGIONAL
Description: Web ACL to block SQL injection
DefaultAction:
Allow: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: MyMetricName
Rules:
- Name: SQLInject-RuleSet
Priority: 0
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesSQLiRuleSet
OverrideAction:
None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: SQLInjection-ruleset-metric
WebACLAssociation:
Type: "AWS::WAFv2::WebACLAssociation"
Properties:
WebACLArn: !GetAtt WebACL.Arn
ResourceArn: !Ref ApiARN
ALB용 webacl 리소스를 배포하기 위한 Cloudformation 스택
AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template defines Web ACL resources
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Resources
Parameters:
- albARN
- Label:
default: Names
Parameters:
- tagName
- tagNamePrefix
ParameterLabels:
albARN:
default: ALB ARN
tagName:
default: Name Tag
tagNamePrefix:
default: Name Prefix
Parameters:
albARN:
Description: ARN for the Application Load Balancer
Type: String
MinLength: '30'
MaxLength: '180'
ConstraintDescription: must be a valid ARN of Application Load Balancer.
tagName:
Type: String
Description: Name tag value
MinLength: '5'
MaxLength: '25'
Default: Default
tagNamePrefix:
Description: The prefix for use in Name tag values
Type: String
MinLength: '5'
MaxLength: '25'
Default: default
Resources:
webAcl:
Type: AWS::WAFv2::WebACL
Properties:
Description: Web ACL for Application Load Balancer of Elastic Beanstalk
Name:
Fn::Sub: "${tagNamePrefix}-web-owasp"
DefaultAction:
Allow: {}
Rules:
- Name: AWS-CRS
Priority: 0
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesCommonRuleSet
ExcludedRules: []
OverrideAction:
None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName:
Fn::Sub: "${tagNamePrefix}-aws-crs-metric"
- Name: Bad-Inputs
Priority: 1
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesKnownBadInputsRuleSet
ExcludedRules: []
OverrideAction:
None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName:
Fn::Sub: "${tagNamePrefix}-bad-inputs-metric"
- Name: Anonymous-IpList
Priority: 2
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesAnonymousIpList
ExcludedRules: []
OverrideAction:
None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName:
Fn::Sub: "${tagNamePrefix}-anonymous-iplist-metric"
- Name: Windows-RuleSet
Priority: 3
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesWindowsRuleSet
OverrideAction:
None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName:
Fn::Sub: "${tagNamePrefix}-windows-ruleset-metric"
- Name: SQLInject-RuleSet
Priority: 4
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesSQLiRuleSet
OverrideAction:
None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName:
Fn::Sub: "${tagNamePrefix}-SQLinjection-ruleset-metric"
Scope: REGIONAL
Tags:
- Key: Name
Value:
Fn::Sub: "${tagName} OWASP Web ACL"
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName:
Fn::Sub: "${tagNamePrefix}-web-owasp-metric"
cloudwatchLogsGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName:
Fn::Sub: aws-waf-logs-${tagNamePrefix}-web-owasp
RetentionInDays: 180
webAcllogging:
Type: AWS::WAFv2::LoggingConfiguration
Properties:
ResourceArn:
Fn::GetAtt:
- webAcl
- Arn
LogDestinationConfigs:
- Fn::Sub: arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws-waf-logs-${tagNamePrefix}-web-owasp
LoggingFilter:
DefaultBehavior: KEEP
Filters:
- Behavior: KEEP
Conditions:
- ActionCondition:
Action: BLOCK
Requirement: MEETS_ANY
RedactedFields:
- SingleHeader:
Name: password
albWebACLAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn:
Ref: albARN
WebACLArn:
Fn::GetAtt:
- webAcl
- Arn
Outputs:
OWASPWebAclARN:
Description: ARN of WebACL
Value:
Fn::GetAtt:
- webAcl
- Arn
CloudwatchLogsGroupARN:
Description: ARN of CloudWatch Logs Group
Value:
Fn::GetAtt:
- cloudwatchLogsGroup
- Arn
Reference
이 문제에 관하여(WAF - 웹 애플리케이션 방화벽), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://dev.to/selvapal/waf-web-application-firewall-2jp7텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)