Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
AWS WAFv2 - SCP to Prevent Custom Rule Deletion
Hi all, I'm working on an automation process that creates a WAFv2 WebACL whenever a CloudFront distribution is created, using EventBridge and Step Functions.
The automation should create a WebACL (if one doesn't already exist) with the following two rules :
- OnlyProxy : An IPSet rule that allows access to the CloudFront distribution only from our proxies' IP addresses.
- Core Rule Set : AWS-AWSManagedRulesCommonRuleSet
To complete this setup, I need to create a Service Control Policy (SCP) that prevents anyone from removing the OnlyProxy rule, except for a specific team. The other managed rule group, "AWS-AWSManagedRulesCommonRuleSet", can be updated by anyone.
I've been struggling to specify the OnlyProxy rule name as a condition for the Deny action in the SCP.
Has anyone faced a similar issue or can offer some guidance? Your assistance would be greatly appreciated.
Thanks
- 언어
- English
- 최신
- 최다 투표
- 가장 많은 댓글
Try WAF with tags
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"wafv2:DeleteRuleGroup",
"wafv2:DeleteWebACL"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/Protected": "True"
}
}
},
{
"Effect": "Allow",
"Action": [
"wafv2:DeleteRuleGroup",
"wafv2:DeleteWebACL"
],
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:RequestTag/Protected": "True"
}
}
}
]
}
I don't think you can accomplish that with an IAM policy. I believe the OnlyProxy rule could be removed, its matching criteria changed, or priority modified to move it where another rule would get evaluated before it with the UpdateRuleGroup API call, for which permissions would be checked against those specified for wafv2:UpdateRuleGroup: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html
The permissions IAM evaluates for wafv2:UpdateRuleGroup only cover "rulegroup", "ipset", and "regexpatternset" types of resources and resource tags associated with those resource types. The individual rules and their attributes are specified as an array type of parameter to the UpdateRuleGroup API, and the contents of that array aren't validated against IAM policies, including SCPs, except for the "ipset" or "regexpatternset" types of resources used in the rules.
If you're using AWS Config, you could consider building a custom Config rule that would detect unauthorised changes and alert you or trigger automatic remediation.
The answer isn't clear enough, If I prevent someone from deleting a Rule Group this doesn't mean that they can't modify or remove a custom rule inside the WebACL