[Improvement] security/waf - Support Bot Control (#545)

widdix · Apr 21, 2021 · 5ea0e50 · 5ea0e50
1 parent bc1454e
commit 5ea0e50
Show file tree

Hide file tree

Showing 8 changed files with 171 additions and 15 deletions.
diff --git a/docs/ecs.md b/docs/ecs.md
@@ -31,6 +31,7 @@ This template describes a fault tolerant and scalable ECS cluster on AWS. The cl
 * `vpc/vpc-*-bastion.yaml` (recommended)
 * `operations/alert.yaml` (recommended)
 * `security/auth-proxy-*.yaml`
+* `security/waf.yaml`
 * `state/s3.yaml`
 * `state/client-sg.yaml`
 
@@ -115,5 +116,6 @@ This template describes a fault tolerant and scalable ECS service that uses a de
 * `ecs/cluster.yaml` (**required**)
 * `operations/alert.yaml` (recommended)
 * `security/auth-proxy-*.yaml`
+* `security/waf.yaml`
 * `vpc/zone-*.yaml`
 * `state/s3.yaml*`
diff --git a/docs/fargate.md b/docs/fargate.md
@@ -28,6 +28,7 @@ This template describes a fault tolerant and scalable Fargate cluster on AWS.
 * `vpc/vpc-*azs.yaml` (**required**)
 * `operations/alert.yaml` (recommended)
 * `security/auth-proxy-*.yaml`
+* `security/waf.yaml`
 * `vpc/zone-*.yaml`
 * `state/s3.yaml*`
 
@@ -86,6 +87,7 @@ This template describes a fault tolerant and scalable Fargate service that uses
 * `fargate/cluster.yaml` (**required**)
 * `operations/alert.yaml` (recommended)
 * `security/auth-proxy-*.yaml`
+* `security/waf.yaml`
 * `vpc/zone-*.yaml`
 * `state/s3.yaml*`
 * `state/client-sg.yaml`

diff --git a/docs/security.md b/docs/security.md
@@ -2,10 +2,10 @@
 
 > **New**: [Become a sponsor](https://github.com/sponsors/widdix) via GitHub Sponsors!
 
-# S3 VirusScan
-This template creates a Antivirus cluster for S3 buckets. You can connect as many buckets as you like by using [S3 Event Notifications](http://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html). The template has it's own repository: [aws-s3-virusscan](https://github.com/widdix/aws-s3-virusscan)
+# VirusScan for Amazon S3
+This template creates a antivirus cluster for S3 buckets. You can connect as many buckets as you like by using [S3 Event Notifications](http://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html). The template has it's own repository: [aws-s3-virusscan](https://github.com/widdix/aws-s3-virusscan)
 
-> The [S3 VirusScan](https://s3-virusscan.widdix.net/) with additional integrations is available in the [AWS Marketplace](https://aws.amazon.com/marketplace/pp/B07XFR781T).
+> The [VirusScan for Amazon S3](https://s3-virusscan.widdix.net/) with additional integrations is available in the [AWS Marketplace](https://aws.amazon.com/marketplace/pp/B07XFR781T).
 
 ## Features
 
@@ -22,7 +22,7 @@ This template creates a Antivirus cluster for S3 buckets. You can connect as man
 * Security Hub Integration
 * SSM OpsCenter Integration
 
-The [S3 VirusScan](https://s3-virusscan.widdix.net/) with additional integrations is available in the [AWS Marketplace](https://aws.amazon.com/marketplace/pp/B07XFR781T).
+The [VirusScan for Amazon S3](https://s3-virusscan.widdix.net/) with additional integrations is available in the [AWS Marketplace](https://aws.amazon.com/marketplace/pp/B07XFR781T).
 
 ## Installation Guide
 Visit the template's repository for installation instructions: [aws-s3-virusscan](https://github.com/widdix/aws-s3-virusscan)
@@ -199,3 +199,17 @@ If you have an existing KMS customer managed CMK you can wrap it into our requir
 
 ## Dependencies
 * `operations/alert.yaml` (recommended)
+
+# Web Application Firewall
+This templates provides a WebACL with preconfigured rules.
+
+## Installation Guide
+1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__/security/waf.yaml&stackName=waf)
+1. Click **Next** to proceed with the next step of the wizard.
+1. Specify a name and all parameters for the stack.
+1. Click **Next** to proceed with the next step of the wizard.
+1. Click **Next** to skip the **Options** step of the wizard.
+1. Click **Create** to start the creation of the stack.
+1. Wait until the stack reaches the state **CREATE_COMPLETE**
+
+If you have an existing WEB ACL, or if you need a WAF for CloudFront in a different region, you can wrap it into our required form using a legacy WAF wrapper: [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__/security/waf-legacy.yaml&stackName=waf)
diff --git a/docs/state.md b/docs/state.md
@@ -42,8 +42,9 @@ Two node DocumentDB cluster for HA.
 * `vpc/vpc-*azs.yaml` (**required**)
 * `state/client-sg.yaml` (**required**)
 * `security/kms-key.yaml` (recommended)
-* `vpc/vpc-*-bastion.yaml`
 * `operations/alert.yaml` (recommended)
+* `vpc/vpc-*-bastion.yaml`
+* `state/secretsmanager-secret.yaml`
 
 ## Limitations
 * No auto scaling
@@ -170,9 +171,10 @@ Two node Aurora cluster for HA.
 * `vpc/vpc-*azs.yaml` (**required**)
 * `state/client-sg.yaml` (**required**)
 * `security/kms-key.yaml` (recommended)
+* `operations/alert.yaml` (recommended)
 * `vpc/zone-*.yaml`
 * `vpc/vpc-*-bastion.yaml`
-* `operations/alert.yaml` (recommended)
+* `state/secretsmanager-secret.yaml`
 
 ## Limitations
 * No auto scaling
@@ -198,9 +200,10 @@ RDS Aurora Serverless MySQL cluster.
 * `vpc/vpc-*azs.yaml` (**required**)
 * `state/client-sg.yaml` (**required**)
 * `security/kms-key.yaml` (**required**)
+* `operations/alert.yaml` (recommended)
 * `vpc/zone-*.yaml`
 * `vpc/vpc-*-bastion.yaml`
-* `operations/alert.yaml` (recommended)
+* `state/secretsmanager-secret.yaml`
 
 # RDS Aurora Serverless Postgres
 
@@ -223,9 +226,10 @@ RDS Aurora Serverless Postgres cluster.
 * `vpc/vpc-*azs.yaml` (**required**)
 * `state/client-sg.yaml` (**required**)
 * `security/kms-key.yaml` (**required**)
+* `operations/alert.yaml` (recommended)
 * `vpc/zone-*.yaml`
 * `vpc/vpc-*-bastion.yaml`
-* `operations/alert.yaml` (recommended)
+* `state/secretsmanager-secret.yaml`
 
 # RDS MySQL
 
@@ -247,9 +251,10 @@ Multi-AZ MySQL for HA.
 * `vpc/vpc-*azs.yaml` (**required**)
 * `state/client-sg.yaml` (**required**)
 * `security/kms-key.yaml` (recommended)
+* `operations/alert.yaml` (recommended)
 * `vpc/zone-*.yaml`
 * `vpc/vpc-*-bastion.yaml`
-* `operations/alert.yaml` (recommended)
+* `state/secretsmanager-secret.yaml`
 
 ## Limitations
 * No auto scaling
@@ -274,9 +279,10 @@ Multi-AZ Postgres for HA.
 * `vpc/vpc-*azs.yaml` (**required**)
 * `state/client-sg.yaml` (**required**)
 * `security/kms-key.yaml` (recommended)
+* `operations/alert.yaml` (recommended)
 * `vpc/zone-*.yaml`
 * `vpc/vpc-*-bastion.yaml`
-* `operations/alert.yaml` (recommended)
+* `state/secretsmanager-secret.yaml`
 
 ## Limitations
 * No auto scaling
@@ -309,3 +315,20 @@ S3 bucket with different access requirements:
 
 ## Dependencies
 * `security/kms-key.yaml` (recommended)
+
+# Database Secret
+
+Random or prepopulated master user secret for databases.
+
+## Installation Guide
+1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__/state/secretsmanager-dbsecret&stackName=secret)
+1. Click **Next** to proceed with the next step of the wizard.
+1. Specify a name and all parameters for the stack.
+1. Click **Next** to proceed with the next step of the wizard.
+1. Click **Next** to skip the **Options** step of the wizard.
+1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox.
+1. Click **Create** to start the creation of the stack.
+1. Wait until the stack reaches the state **CREATE_COMPLETE**
+
+## Dependencies
+* `security/kms-key.yaml`
diff --git a/docs/static-website.md b/docs/static-website.md
@@ -73,3 +73,4 @@ To improve the default CloudFront behavior, we developed a Lambda@Edge solution
 * `vpc/zone-*.yaml` (**required**)
 * `operations/alert.yaml` (recommended)
 * `state/s3.yaml` (recommended)
+* `security/waf.yaml`
diff --git a/docs/wordpress.md b/docs/wordpress.md
@@ -44,8 +44,9 @@ This template combines the following services:
 * `vpc/vpc-*azs.yaml` (**required**)
 * `vpc/zone-*.yaml` (**required**)
 * `vpc/vpc-*-bastion.yaml` (recommended)
-* `security/auth-proxy-*.yaml`
 * `operations/alert.yaml` (recommended)
+* `security/auth-proxy-*.yaml`
+* `security/waf.yaml`
 
 ## Limitations
 * WordPress will only run in two Availability Zones, even if your VPC stack has more.
@@ -97,8 +98,9 @@ This template combines the following services:
 * `vpc/vpc-*azs.yaml` (**required, 3 or more AZs required**)
 * `vpc/zone-*.yaml` (**required**)
 * `vpc/vpc-*-bastion.yaml` (recommended)
-* `security/auth-proxy-*.yaml`
 * `operations/alert.yaml` (recommended)
+* `security/auth-proxy-*.yaml`
+* `security/waf.yaml`
 
 ## Limitations
 * WordPress will only run three Availability Zones, even if your VPC stack has more.

diff --git a/security/waf-legacy.yaml b/security/waf-legacy.yaml
@@ -0,0 +1,48 @@
+---
+# Copyright 2018 widdix GmbH
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'Security: Legacy WAF (Web Application Firewall), a cloudonaut.io template'
+Metadata:
+  'AWS::CloudFormation::Interface':
+    ParameterGroups:
+    - Label:
+        default: 'WAF Parameters'
+      Parameters:
+      - WebAclArn
+Parameters:
+  WebAclArn:
+    Description: 'The ARN of the Web ACL.'
+    Type: String
+Conditions:
+  HasNot: !Equals ['true', 'false']
+Resources:
+  NullResource:
+    Type: 'Custom::NullResource'
+    Condition: HasNot
+Outputs:
+  TemplateID:
+    Description: 'cloudonaut.io template id.'
+    Value: 'security/waf'
+  TemplateVersion:
+    Description: 'cloudonaut.io template version.'
+    Value: '__VERSION__'
+  StackName:
+    Description: 'Stack name.'
+    Value: !Sub '${AWS::StackName}'
+  WebACL:
+    Description: 'The ARN of the Web ACL.'
+    Value: !Ref 'WebAclArn'
+    Export:
+      Name: !Sub '${AWS::StackName}-WebACL'
diff --git a/security/waf.yaml b/security/waf.yaml
@@ -24,9 +24,15 @@ Metadata:
       - RateLimit
       - RateLimitEffect
       - ReputationListEffect
+      - BotControlEffect
+      - BotControlExcludeRule1
+      - BotControlExcludeRule2
+      - BotControlExcludeRule3
+      - BotControlExcludeRule4
+      - BotControlExcludeRule5
 Parameters:
   Scope:
-    Description: 'Specify wether WAF shall be used with CloudFront or regional (ALB, API Gateway, and AppSync).'
+    Description: 'Specify wether WAF shall be used with CloudFront (us-east-1 only!) or regional (ALB, API Gateway, and AppSync).'
     Type: String
     Default: 'REGIONAL'
     AllowedValues:
@@ -54,14 +60,49 @@ Parameters:
     - 'Disable'
     - 'Block'
     - 'Count'
+  BotControlEffect:
+    Description: 'Block or count requests from bots. Alterantively, disable bot control at all.'
+    Type: String
+    Default: 'Disable'
+    AllowedValues:
+    - 'Disable'
+    - 'Block'
+    - 'Count'
+  BotControlExcludeRule1:
+    Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
+    Type: String
+    Default: ''
+  BotControlExcludeRule2:
+    Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
+    Type: String
+    Default: ''
+  BotControlExcludeRule3:
+    Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
+    Type: String
+    Default: ''
+  BotControlExcludeRule4:
+    Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
+    Type: String
+    Default: ''
+  BotControlExcludeRule5:
+    Description: 'The rule whose actions are set to COUNT by the web ACL. This effectively excludes the rule from acting on web requests. (Valid rule names: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#aws-managed-rule-groups-bot)'
+    Type: String
+    Default: ''
 Conditions:
   EnableRateLimit: !Not [!Equals [!Ref RateLimitEffect, 'Disable']]
   BlockRateLimit: !Equals [!Ref RateLimitEffect, 'Block']
   EnableReputationList: !Not [!Equals [!Ref ReputationListEffect, 'Disable']]
   BlockReputationList: !Equals [!Ref ReputationListEffect, 'Block']
+  EnableBotControl: !Not [!Equals [!Ref BotControlEffect, 'Disable']]
+  BlockBotControl: !Equals [!Ref BotControlEffect, 'Block']
+  HasBotControlExcludeRule1: !Not [!Equals [!Ref BotControlExcludeRule1, '']]
+  HasBotControlExcludeRule2: !Not [!Equals [!Ref BotControlExcludeRule2, '']]
+  HasBotControlExcludeRule3: !Not [!Equals [!Ref BotControlExcludeRule3, '']]
+  HasBotControlExcludeRule4: !Not [!Equals [!Ref BotControlExcludeRule4, '']]
+  HasBotControlExcludeRule5: !Not [!Equals [!Ref BotControlExcludeRule5, '']]
 Resources:
   WebACL:
-    Type: AWS::WAFv2::WebACL
+    Type: 'AWS::WAFv2::WebACL'
     Properties:
       DefaultAction:
         Allow: {}
@@ -102,6 +143,29 @@ Resources:
             CloudWatchMetricsEnabled: true
             MetricName: RateLimit
         - !Ref 'AWS::NoValue'
+      - !If
+        - EnableBotControl
+        - Name: AWSBotControl
+          Priority: 3
+          OverrideAction: !If
+          - BlockBotControl
+          - None: {}
+          - Count: {}
+          VisibilityConfig:
+            SampledRequestsEnabled: true
+            CloudWatchMetricsEnabled: true
+            MetricName: AWSBotControl
+          Statement:
+            ManagedRuleGroupStatement:
+              VendorName: AWS
+              Name: AWSManagedRulesBotControlRuleSet
+              ExcludedRules:
+              - !If [HasBotControlExcludeRule1, {Name: !Ref BotControlExcludeRule1}, !Ref 'AWS::NoValue']
+              - !If [HasBotControlExcludeRule2, {Name: !Ref BotControlExcludeRule2}, !Ref 'AWS::NoValue']
+              - !If [HasBotControlExcludeRule3, {Name: !Ref BotControlExcludeRule3}, !Ref 'AWS::NoValue']
+              - !If [HasBotControlExcludeRule4, {Name: !Ref BotControlExcludeRule4}, !Ref 'AWS::NoValue']
+              - !If [HasBotControlExcludeRule5, {Name: !Ref BotControlExcludeRule5}, !Ref 'AWS::NoValue']
+        - !Ref 'AWS::NoValue'
       Scope: !Ref Scope
       VisibilityConfig:
         CloudWatchMetricsEnabled: true
@@ -110,7 +174,7 @@ Resources:
 Outputs:
   TemplateID:
     Description: 'cloudonaut.io template id.'
-    Value: 'security/waf'
+    Value: 'security/waf-legacy'
   TemplateVersion:
     Description: 'cloudonaut.io template version.'
     Value: '__VERSION__'