如何有选择地仅针对 CloudFormation 中的特定 URI 覆盖 WAF 规则?

0

【以下的问题经过翻译处理】 AWS 通用规则集中存在一些误报,导致难以按原样实施。 例如,如果您的 URI 端点之一接受 XML 或 HTML/HTML 片段,那么您很可能会遇到 CrossSiteScripting 系列规则的问题。 此外,如果您要发布内容,那么某些序列也会触发 LFI 系列规则,例如“../.” 对于不接受该类型数据的所有其他 URI,失去所有 CrossSiteScripting 的优点确实让人感到悲伤。

这篇文章非常有帮助,给了我希望,我可以通过一些工作使其适用于多个 URI,但我无法让它适用于多个 URI。

对于少数 URI,处理此问题最有效的方法是什么?

profile picture
EXPERT
asked 6 months ago39 views
1 Answer
0

【以下的回答经过翻译处理】 经过与南非开普敦出色的 AWS 员工进行了数小时的通话,然后进行了更多的试验和错误,我们决定采用以下实施方式:

以下是一个完整的示例(除了实际将资源与 WAF 关联之外),具有简单的日志记录以方便调试。 仅允许 /uri1、/uri2 和 /uri3 上的 CrossSiteScripting_BODY 和 GenericLFI_BODY。 将 WebACL 流量记录到 CloudWatch,这样我们就不必担心 S3 权限以及 AWS Glue 和 Athena 来查询 WAF 日志。 编辑敏感信息。 如下:

AWSTemplateFormatVersion: '2010-09-09'
Description: WAF implementation that allows exclusions for specific URIs
Transform: AWS::Serverless-2016-10-31
Parameters:
  ProjectName:
    Description: Project Name
    Type: String

Resources:
  regionalWebAcl:
    Type: AWS::WAFv2::WebACL
    Properties:
      Scope: REGIONAL
      Name: !Sub ${ProjectName}-regional-webacl
      DefaultAction:
        Allow: {}
      VisibilityConfig:
        CloudWatchMetricsEnabled: true
        MetricName: !Sub ${ProjectName}-regional-webacl-metric
        SampledRequestsEnabled: true
      Rules:
        - Name: !Sub ${ProjectName}-regional-webacl-AWSManagedRulesKnownBadInputsRuleSet
          Priority: 5
          OverrideAction:
            None: {}
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: !Sub ${ProjectName}-regional-webacl-AWSManagedRulesKnownBadInputsRuleSet-metric
            SampledRequestsEnabled: true
          Statement:
            ManagedRuleGroupStatement:
              Name: AWSManagedRulesKnownBadInputsRuleSet
              VendorName: AWS
        - Name: !Sub ${ProjectName}-regional-webacl-AWSManagedRulesCommonRuleSet
          Priority: 10
          OverrideAction:
            None: {}
          VisibilityConfig:
            CloudWatchMetricsEnabled: true
            MetricName: !Sub ${ProjectName}-regional-webacl-AWSManagedRulesCommonRuleSet-metric
            SampledRequestsEnabled: true
          Statement:
            ManagedRuleGroupStatement:
              Name: AWSManagedRulesCommonRuleSet
              VendorName: AWS
              RuleActionOverrides:
                - Name: CrossSiteScripting_BODY
                  ActionToUse:
                    Count: {}
                - Name: GenericLFI_BODY
                  ActionToUse:
                    Count: {}
        - Name: !Sub ${ProjectName}-regional-webacl-reblock
          Priority: 15
          RuleLabels:
            - Name: reblock
          Statement:
            AndStatement:
              Statements:
                - OrStatement:
                    Statements:
                      - LabelMatchStatement:
                          Key: awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body # Pay very careful attention to the casing, it's NOT CrossSiteScripting_BODY
                          Scope: LABEL
                      - LabelMatchStatement:
                          Key: awswaf:managed:aws:core-rule-set:GenericLFI_Body  # Pay very careful attention to the casing, it's NOT GenericLFI_BODY
                          Scope: LABEL
                - NotStatement:
                    Statement:
                      RegexMatchStatement:
                        FieldToMatch:
                          UriPath: {}
                        RegexString: ^.*\/(?:uri1|uri2|uri3)$ # Note that this regex is supposed to (according to AWS support that I received) match on the whole field, not just part of it.  Also notice that you don't specify the leading forward slash and the trailing slash with common regex flags.  If you need lowercase, then use a TextTransformation to do that.
                        TextTransformations:
                          - Priority: 0
                            Type: NONE
          Action:
            Block: {}
          VisibilityConfig:
              CloudWatchMetricsEnabled: true
              MetricName: !Sub ${ProjectName}-regional-webacl-reblock-metric
              SampledRequestsEnabled: true

  regionalWebAclLoggingConfiguration:
    Type: AWS::WAFv2::LoggingConfiguration
    Properties:
      LogDestinationConfigs:
        - !GetAtt regionalWebAclLogGroup.Arn
      ResourceArn: !GetAtt regionalWebAcl.Arn
      RedactedFields:
        - SingleHeader:
            Name: authorization
        - QueryString: {} # If you use an auth query string parameter, redact the whole query string
      LoggingFilter:
        DefaultBehavior: DROP
        Filters:
          - Behavior: KEEP
            Requirement: MEETS_ANY
            Conditions:
              - ActionCondition:
                  Action: BLOCK
          - Behavior: KEEP
            Requirement: MEETS_ANY
            Conditions:
              - ActionCondition:
                  Action: COUNT


  regionalWebAclLogGroup:
    Type: AWS::Logs::LogGroup
    DeletionPolicy: Delete
    UpdateReplacePolicy: Delete
    Properties:
      LogGroupName: !Sub aws-waf-logs-${ProjectName}-regional-webacl
      RetentionInDays: 30

Outputs:
  regionalWebAclArn:
    Value: !GetAtt regionalWebAcl.Arn
  regionalWebAclLogGroupArn:
    Value: !GetAtt regionalWebAclLogGroup.Arn

请注意,规则名称和规则标签所使用的字符相同,但大小写不同,因此您不能简单地从本文档复制并粘贴规则名称

关于RegEx测试,他们推荐了PCRE2模式的这个网站:https://regex101.com/

profile picture
EXPERT
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions