AWS WAFv2 - SCP to Prevent Custom Rule Deletion

1

Hi all, I'm working on an automation process that creates a WAFv2 WebACL whenever a CloudFront distribution is created, using EventBridge and Step Functions.

The automation should create a WebACL (if one doesn't already exist) with the following two rules :

  1. OnlyProxy : An IPSet rule that allows access to the CloudFront distribution only from our proxies' IP addresses.
  2. Core Rule Set : AWS-AWSManagedRulesCommonRuleSet

Enter image description here

To complete this setup, I need to create a Service Control Policy (SCP) that prevents anyone from removing the OnlyProxy rule, except for a specific team. The other managed rule group, "AWS-AWSManagedRulesCommonRuleSet", can be updated by anyone.

I've been struggling to specify the OnlyProxy rule name as a condition for the Deny action in the SCP.

Has anyone faced a similar issue or can offer some guidance? Your assistance would be greatly appreciated.

Thanks

2 Answers
1

Try WAF with tags

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "wafv2:DeleteRuleGroup",
                "wafv2:DeleteWebACL"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Protected": "True"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "wafv2:DeleteRuleGroup",
                "wafv2:DeleteWebACL"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEqualsIfExists": {
                    "aws:RequestTag/Protected": "True"
                }
            }
        }
    ]
}
profile picture
EXPERT
answered 23 days ago
profile picture
EXPERT
Artem
reviewed 19 days ago
profile picture
EXPERT
A_J
reviewed 23 days ago
  • The answer isn't clear enough, If I prevent someone from deleting a Rule Group this doesn't mean that they can't modify or remove a custom rule inside the WebACL

1

I don't think you can accomplish that with an IAM policy. I believe the OnlyProxy rule could be removed, its matching criteria changed, or priority modified to move it where another rule would get evaluated before it with the UpdateRuleGroup API call, for which permissions would be checked against those specified for wafv2:UpdateRuleGroup: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html

The permissions IAM evaluates for wafv2:UpdateRuleGroup only cover "rulegroup", "ipset", and "regexpatternset" types of resources and resource tags associated with those resource types. The individual rules and their attributes are specified as an array type of parameter to the UpdateRuleGroup API, and the contents of that array aren't validated against IAM policies, including SCPs, except for the "ipset" or "regexpatternset" types of resources used in the rules.

If you're using AWS Config, you could consider building a custom Config rule that would detect unauthorised changes and alert you or trigger automatic remediation.

EXPERT
Leo K
answered 22 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions