Closed rectalogic closed 2 years ago
Hi @rectalogic
Good point! Is there a general redact rule that should be applied by default or should we add this as CloudFormation stack input parameters (or should we just highlight those references on the documentation)? What do you think?
Many thanks!
I think it should be an input parameter, and probably default to redacting the cookie header (since that is often sensitive, authorization cookie etc.)
It's configured as a list of field types and data values, so maybe the stack parameter could be cloudformation CommaDelimitedList
of type=value items like HEADER=Cookie,SINGLE_QUERY_ARG=UserName
etc.
Thanks for your feedback. We have added this request to our feature backlog.
In the event this is prioritized, the Authorization
header is another good candidate for defaulting to add.
Thanks for the comments. After careful evaluation of the request, we would like to leave this to customers to set it up based on their specific needs instead of including it in the WAF solution.
References: https://docs.aws.amazon.com/waf/latest/developerguide/logging.html https://docs.aws.amazon.com/waf/latest/APIReference/API_LoggingConfiguration.html
The WAF log parsers enable WAF logging. https://github.com/awslabs/aws-waf-security-automations/blob/master/source/custom-resource/custom-resource.py#L396
This logs sensitive details about the request such as the cookie. Allow configuration of WAF log redaction via
RedactedFields
: https://docs.aws.amazon.com/waf/latest/APIReference/API_regional_LoggingConfiguration.html