search

aws-samples / aws-waf-dashboard

1 click deployment for creating AWS WAF dashboard
MIT No Attribution
39 stars 41 forks source link

Dashboard is publicly accessible #4

Closed pkennedyvt closed 3 years ago

pkennedyvt commented 4 years ago

Upon launch the url is world accessible. It can be left to the user to address that, or it can be codified. Either way it should be called out in the documentation.

One quick solution would be to add a condition to the AuthenticatedPolicy:. Something like:

"Action": "es:Http", "Condition": { "IpAddress": { "aws:SourceIp": [ "111.222.333.444/32"

And make the SourceIp a parameter in the template. I want to think a little more about that, but it's a good first start at securing the access.

Adding VPC would be a long term goal.

tstachlewski commented 3 years ago

Hi, This won't actually work, because it won't protect Kibana URL. I've modified the solution, so that it won't be possible to register in Kibana by new users. Plus I have added in the documentation, that in 'production' cases a proxy should be used in front of it.