AWS WAF support

[iselegant]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do * not help prioritize the request If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request

App Runner doesn't support WAF attaching. If this can be achieved, I believe that we'll be able to find a lot of secure architecture and use cases with App Runner.

[bretlowery]

A possible workaround is to use an edge resident WAF outside of AWS WAF, such as Akamai or Cloudflare, provided the AR CNAME/origin could be completely protected from public access.

[greenreign]

@iselegant Can you provide more details? We haven't been able to use AppRunner yet until the RDS VPC support lands but we'd also need WAF. I assume an ALB if provisioned with an AppRunner app. Can you manually attach WAF? Are you asking for built-in support or is it not possible at all?

[iselegant]

@greenreign Thank you your comment. In my opinion, it may better and simple architecture that we can attach AWS WAF in front of AWS App Runner endpoint because many AWS users getting used to setting up AWS WAF. Actually, I often happen some use case to deploy container web apps with some security requirements of only specific client access such as preparing internal developer portal.

[amitgupta85]

Hello, we are looking at supporting WAF in App Runner and will have more updates on this thread going forward. To help us better learn about your use case, please give us feedback on some of these questions.

1. What type of applications do you enable WAF on? Do you enable WAF on public internet facing applications or do you enable it on private VPC accessible internal applications?
2. Where does AWS WAF sits on your architecture? Do you configure it on a. AWS ALB fronting your application or b. Amazon CloudFront CDN. If CloudFront CDN, what do you use as origin server behind CDN (ALB, API Gateway, S3 or something else) c. API Gateway fronting your application d. Somewhere else
3. What type of WAF rules do you set on WAF Web Acls?
4. If App Runner services are protected by AWS WAF, would you like to have AWS WAF Web Acls deployed in your account with full configurability via the AWS WAF API or have it run behind the scenes in an AppRunner owned account with only some knobs exposed through the App Runner API surface?
5. If you want full configurability via the AWS WAF API, do you still want App Runner to manage certain aspects of WAF configuration? For example, setting up creating Web ACLs in your account with initial rules?
6. Other than AWS WAF protection, would you also like App Runner to provide managed DDOS protection offered by AWS Shield?

[johngillespie-vp]

I would like to be able to provide my own WAF for App Runner to use. This matches the pattern that I use for other public facing applications - configurable WAF applied to the ALB. I likely wouldn't find any use for a default, out of the box WAF, nor do I need AWS Shield.

[callicles]

Same use case as people have been pointing out. I need to be able to put a WAF in front of AppRunner. For me that only means I want to be able to associate a security group with the LB so that I can restrict inbound requests to my WAF.

We are talking internet facing applications

[em-cash]

I would prefer to attach the waf of my account to the loadbalancer of app runner, not have an app runner built-in waf. I guess it's the only missing feature to changing from eks to app runner.

[weaverjess]

Any updates on this or work arounds?

[hiselitelordship]

App Runner is probably failing to live up to the level of abstraction it looks set to deliver. For example if I am developing Python Flask and I point App Runner at my git repo it doesn't appear to help me be secure. It doesn't wrap my code in gunicorn, nginx and supervisord (like Elastic Beanstalk). Looking for CVEs and it looks like gunicorn is vulnerable to HTTP response splitting perhaps plenty more. This is something the platform that targets developers should be taking care of. Systems engineers who know all this are probably already running VPC, EC2, Security Groups, NAACLS, Amazon Network Firewall, CloudFront, WAF, Shield, reverse proxies, Security Hub and heaven knows how many other services. Developers choosing App Runner are avoiding having to be experts in all those other products as they are looking for the service provider to help with that.

I believe App Runner needs to prioritise security (or at least explain it better). A developer with code in Python in Git doesn't know about gunicorn, nginx, WAFs, file integrity monitoring, CDNs for anti-DDoS, Shield etc. Chances are developers are just running Python apps with Werkzeug naked on the web. If App Runner is doing more than just wiring up a container to an internet facing load balancer then it isn't clear and the residual risk for me to address is unclear.

[emilhdiaz]

Using an external provider like Cloudflare isn't a viable solution yet, because the App Runner default domain is still accessible on the public internet and thus the application is still vulnerable to attacks. Providers, like Cloudflare, can only protect your custom domains. What we'd like to see, is something similar to how this is solved in API Gateway, an App Runner resource policy that allows restricting inbound access to your App Runner service by IP. We can then lock down the default domain to only receive traffic from Cloudflare's network and thus enforce Cloudflare proxying of all traffic to the origin endpoints.

[atali]

Any news on that issue ?

[mwarkentin]

Looks like this just landed: https://aws.amazon.com/about-aws/whats-new/2023/02/aws-app-runner-web-application-firewall-enhanced-security/

[snnles]

Hello everyone, App Runner now supports AWS web application firewall (WAF). See the launch announcement and documentation to learn more about this capability.

Launch announcement: https://aws.amazon.com/about-aws/whats-new/2023/02/aws-app-runner-web-application-firewall-enhanced-security/

App Runner documentation: https://docs.aws.amazon.com/apprunner/latest/dg/waf.html