Este contenido no está disponible en el idioma seleccionado

Trabajamos constantemente para que el contenido esté disponible en el idioma seleccionado. Gracias por tu paciencia.

How do I protect my Elastic Beanstalk environment against attacks from known unwanted hosts?

3 minutos de lectura

My AWS Elastic Beanstalk instances are getting requests from an unwanted hostname. How can I protect my Elastic Beanstalk instances from getting requests from this hostname?

Short description

In an Elastic Beanstalk environment with an Application Load Balancer, you can use AWS WAF as a custom resource to protect your instances against attacks from unwanted hostnames.

To block your Elastic Beanstalk environment from unwanted hostnames, complete the steps from either of the following sections:

Block one hostname
Block multiple hostnames

Resolution

Block one hostname

1. Create waf.config configuration file in your .ebextensions directory.

2. Update your waf.config file based on the following example. Be sure to replace BlockedHost1 with the hostname that you want to block from your Elastic Beanstalk environment.

option_settings:
  aws:elasticbeanstalk:environment:
    LoadBalancerType: application
  aws:elasticbeanstalk:customoption:
    BlockedHost1: 'exampletoblock.com'
Resources:
  BlockedHostnames:
    Type: "AWS::WAFv2::RegexPatternSet"
    Properties:
      Description: 'List of Hostnames to be block by WebACL'
      Name: BlockedHostsSet
      RegularExpressionList: 
        - { "Fn::GetOptionSetting" : {"OptionName" : "BlockedHost1" }}
      Scope: REGIONAL
  
  WafAcl:
    Type: "AWS::WAFv2::WebACL"
    Properties:
      Description: "Web ACL to Block requests from unknown hosts on AWSEBV2LoadBalancer"
      Name: "BlockHostACL"
      Scope: REGIONAL
      DefaultAction:
        Allow: {}
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: BlockHostACLMetric
      Rules:
        - Name: BlockedHostsRule
          Priority: 1
          Action:
            Block: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: UnknownHostRule1
          Statement:
            RegexPatternSetReferenceStatement:
              Arn: '`{ "Fn::GetAtt" : ["BlockedHostnames", "Arn" ]}`'
              FieldToMatch: 
                SingleHeader:
                  Name: Host
              TextTransformations: 
                - Priority: 0
                  Type: NONE
  
  WebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties: 
      ResourceArn: '`{ "Ref" : "AWSEBV2LoadBalancer" }`'
      WebACLArn: '`{ "Fn::GetAtt" : ["WafAcl", "Arn" ]}`'

3. Create or update your Elastic Beanstalk environment with your waf.config file from step 2.

Important: If you run your waf.config file on an existing Elastic Beanstalk environment that doesn't have an Application Load Balancer, you get an error. You receive the error because the load balancer type can be defined only during environment creation. For more information, see Configuring an Application Load Balancer. You can change your Load Balancer type with a blue/green deployment.

4. To confirm that BlockedHost1is blocked from sending requests to your Elastic Beanstalk environment, open a terminal and then run the following command to simulate a request originating from exampletoblock.com.

$ curl -I -H 'host: exampletoblock.com' http://YOUR-ENV-NAME.YOUR-ENV-ID.AWS-REGION.elasticbeanstalk.com

Note: Replace exampletoblock.com with the hostname configured on waf.config that you want to block. Replace the URL on the command with your Elastic Beanstalk environment URL.

If the hostname is blocked, then you receive output similar to the following:

> HTTP/1.1 403 Forbidden
  Server: awselb/2.0
  Date: Mon, 20 Apr 2020 17:31:14 GMT
  Content-Type: text/html
  Content-Length: 134
  Connection: keep-alive

5. To simulate a normal request, run the following command:

$ curl -I http://ENV-NAME.ENV-ID.eu-west-1.elasticbeanstalk.com

If the request is successful, then you see a successful 200 status code and receive output similar to the following:

> HTTP/1.1 200 OK
  Date: Mon, 20 Apr 2020 17:38:04 GMT
  Content-Type: text/html
  Content-Length: 3352
  Connection: keep-alive
  Server: nginx/1.16.1

Block multiple hostnames

You can block multiple hostnames by adding the hostnames to a Web Access Control List (Web ACL) that uses the RegexPatternSet.

In your waf.config file, add additional hostnames as custom options in the RegularExpressionList. See the following example:

option_settings:
  aws:elasticbeanstalk:environment:
    LoadBalancerType: application
  aws:elasticbeanstalk:customoption:
    BlockedHost1: 'exampletoblock.com'
    BlockedHost2: 'anothertoblock.com'
Resources:
  BlockedHostnames:
    Type: "AWS::WAFv2::RegexPatternSet"
    Properties:
      Description: 'List of Hostnames to be block by WebACL'
      Name: BlockedHostsSet
      RegularExpressionList: 
        - { "Fn::GetOptionSetting" : {"OptionName" : "BlockedHost1" }}
        - { "Fn::GetOptionSetting" : {"OptionName" : "BlockedHost2" }}
      Scope: REGIONAL

Related information

Adding and customizing Elastic Beanstalk environment resources

Temas

Calcular

Etiquetas

AWS Elastic Beanstalk

Idioma

English

OFICIAL DE AWSActualizada hace 3 años

Sin comentarios

Contenido relevante

¿Cómo actualizo mi plataforma de entorno de Elastic Beanstalk a partir de una versión obsoleta o retirada a la versión más reciente?
OFICIAL DE AWSActualizada hace 5 meses
¿Cómo puedo resolver el error grave de PHP que recibo al implementar una aplicación en una plataforma PHP de Elastic Beanstalk que se conecta a una base de datos de Microsoft SQL Server?
OFICIAL DE AWSActualizada hace 2 meses
¿Por qué mi entorno de Elastic Beanstalk tiene un estado no válido?
OFICIAL DE AWSActualizada hace 5 meses
¿Cómo personalizo mi entorno de Elastic Beanstalk mediante enlaces de la plataforma?
OFICIAL DE AWSActualizada hace 4 meses