AWS WAF to restrict file download

0

Hi ALL,

Can some one mention the custom ACL which can be used to restrict download of file from the webpage. So the client can only view the list but cannot download it.

Thanks Ritika

Ritika
質問済み 9ヶ月前432ビュー
3回答
0

To configure AWS WAF to restrict file download, you can follow these steps:

  1. Go to the AWS WAF console.
  2. In the navigation pane, choose Web ACLs.
  3. Choose the web ACL that you want to configure.
  4. In the Rules tab, choose Add Rules.
  5. In the Rule type dropdown list, choose Rule Builder.
  6. In the Name field, enter a name for the rule.
  7. In the Type field, choose Regular rule.
  8. In the If a request section, choose Matches the statement.
  9. In the Statement section, configure the following fields:
  10. Inspect: Choose Single header.
  11. Header name: Choose the header that contains the file name.
  12. Regular expression: Enter a regular expression that matches the file names that you want to restrict.
  13. In the Action section, choose Block.
  14. Click Create.

The rule will now be created and applied to the web ACL. Any requests that contain a file name that matches the regular expression will be blocked.

**If the answer is helpful, please click "Accept Answer" and upvote it. **

profile pictureAWS
回答済み 9ヶ月前
  • Hi Dave,

    Thank you so much for the response. It not any specific file but file extension such as - csv,html,pdf

0

Hi Ritika,

I understand you are you trying to see if there is a custom ACL which can be used to restrict download of file from the webpage. So the client can only view the list but cannot download it.

My response will be in two parts:

(a) Client can only view the list? This is more of applying least-privilege permissions. Apply this identiy-based policy to grants users read-only access to AWS WAF resources, to Amazon CloudFront web distributions:

{ "Version":"2012-10-17", "Statement": [ { "Action": [ "wafv2:Get*", "wafv2:List*", "cloudfront:GetDistribution", "cloudfront:GetDistributionConfig", "cloudfront:ListDistributions", "cloudfront:ListDistributionsByWebACLId", "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "ec2:DescribeRegions" ], "Effect": "Allow", "Resource": "*" } ] }

(b) Client can only view the list but cannot download it? To restrict download, you can configure CloudFront to require that users access your files using either signed URLs or signed cookies. Require that your users access your content by using CloudFront URLs, not URLs that access content directly on the origin server.

Reference: https://docs.aws.amazon.com/waf/latest/developerguide/security_iam_id-based-policy-examples.html https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html

**If the answer is helpful, please click "Accept Answer" and upvote it. **

Kind regards, Ahmed

AWS
回答済み 9ヶ月前
0

Hi Ritika,

In addition to what Dave mentioned, you can also configure a URI path match rule, with the extensions you would like to block. You can specify the file extensions that you would like to block using a regex. Just to get you started with (on best effort basis), I can share a regex which you can use to block .csv and .pdf file downloads. You can add more extensions to this regex as needed.

.+.(csv|pdf)

If you create a "URI path" match rule with the above regex, all the requests for the .csv/.pdf files will be blocked. Below [1] is the document which can help you create a regex, and help you use it in the "URI path" match rule. I hope it helps.

[1] https://docs.aws.amazon.com/waf/latest/developerguide/waf-regex-pattern-set-managing.html

**If the answer is helpful, please click "Accept Answer" and upvote it. **

AWS
回答済み 8ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ