WAF IP Based Rule Issue

0

Hi All,

I have WAF ACL configured before API Gateway with simple one rule. As per requirement, rule should allow access from specific list of IPs else block the access.

{
  "Name": "waf_testing_1",
  "Id": "0000000-0000-00000-0000-00000000",
  "ARN": "arn:aws:wafv2:region:account_id:regional/webacl/waf_testing_1/000000-0000-0000-0000-0000000",
  "DefaultAction": {
    "Block": {}
  },
  "Description": "Match a specific URI pattern",
  "Rules": [
    {
      "Name": "match_allowed_ip",
      "Priority": 0,
      "Statement": {
        "NotStatement": {
          "Statement": {
            "IPSetReferenceStatement": {
              "ARN": "arn:aws:wafv2:region:account_id:regional/ipset/allowed_ip/000000-0000-0000-0000-0000000"
            }
          }
        }
      },
      "Action": {
        "Block": {}
      },
      "VisibilityConfig": {
        "SampledRequestsEnabled": true,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "match_allowed_ip"
      }
    }
  ],
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "AWS-waf_testing_1"
  },
  "Capacity": 1,
  "ManagedByFirewallManager": false,
  "LabelNamespace": "awswaf:account_id:webacl:waf_testing_1:"
}

But it is still allowing even if user is trying to access from different IP. I am really confused about IP based rule in WAF because WAF2 behaves differently and Classic version behave differently. I dont know if anyone has seen similar issue? Any suggestion?

2 Answers
1

In such situations it is good to check the IP address that your user is using over the internet and cross check using the Sampled Requests or WAF logs if that same IP is being logged. Also, sometimes our system might be assigned an IPv6 address along with the IPv4 and the system might be using that for communicating (I have noticed this in a few cases).

As per your use case, I can understand that you want to allow a user only if the IP address is present in the IP set. However as per the rule configuration, none of the rules seem to be allowing the requests

The match_allowed_ip rule will be inspected first, if an IP is not present in the IP set allowed_ip then the request would be blocked.

If the IP is present in the rule then the rule will not match and the request will be evaluated by the default action which is again set to Block

I would request you to validate the user's IP, if the resource is associated with the correct Web ACL and go through the logs in order to determine which rule is Allowing the request.

AWS
answered 9 months ago
0

If you want to restrict IPs on the API Gateway, I found the following resource-based policy to be a good way to do so.
https://repost.aws/knowledge-center/api-gateway-resource-policy-access

Also, looking at the WAF configuration you shared with us, the default rule is block, so if it doesn't match the IP-based rule, it will be blocked.
So it is possible that all accessible requests are judged to match the IP set.
One way to check this would be to output the WAF logs to S3.

profile picture
EXPERT
answered 10 months ago
  • Hi @Riku Thanks for the reply.

    We have considered other options first like security group inbound rule, API resource policy but our use case is different. We have 500+ IPs in allowed list if IPs and whenever new gateway is deployed, gateway IP should be listed. Security group Inbound and resource policy is not good fit here. WAF has capacity to allow 10K ips and we can automate process to update IPs in IP set.

    WAF configuration is as expected if doesn't match IP based-rule then all request should be blocked else allow.

    Thanks

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions