MCatherine1994
commented
1 year ago Closed MCatherine1994 closed 1 year ago
MCatherine1994
commented
1 year ago MCatherine1994
commented
1 year ago The Cognito also has the option to add the WAF, can use the same one for ApiGateway, do we need this?
basilv
commented
1 year ago Sure
MCatherine1994
commented
1 year ago I tried to add the WAF to cognito user pool, but then because our WAF region is in Canada, Nick can't login to FAM dev anymore. Good testing that the WAF works. I removed it for now, and want to chat about to see how we handle in this case. Thanks!!
basilv
commented
1 year ago Having WAF region in Canada shouldn't matter, that doesn't innately block traffic outside of Canada. I assume there's a rule blocking Nick's access due to geolocation? Can Nick access FAM Dev with the WAF on the API/Cloudfront?
To test, you could create a new web ACL with no rules (default allow), and add it to Cognito, and confirm Nick's access is still good. Then you could add rule groups one-by-one until you find the one that's problematic. Alternatively, the WAF logs should indicate what's happening...
basilv
commented
1 year ago From my look into the WAF logs in dev, it looks like the AWS-AWSManagedRulesCommonRuleSet, the specific rule: AWS#AWSManagedRulesCommonRuleSet#EC2MetaDataSSRF_QUERYARGUMENTS for URI: /oauth2/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A5173%2FauthCallback&response_type=code&client_id=6jfveou69mgford233or30hmta&identity_provider=DEV-IDIR&scope=REDACTED&state=REDACTED&code_challenge=REDACTED&code_challenge_method=S256
MCatherine1994
commented
1 year ago Tested the WAF for cognito, the "Core rule set (AWS-AWSManagedRulesCommonRuleSet)" and "SQL database (AWS-AWSManagedRulesSQLiRuleSet)" will block the access for Nick and Jota. So I created the WAF for cognito with just three rules:
basilv
commented
1 year ago I find it bizarre that these rule sets block Nick's and Jota's access, but I don't think its worth delving into further at this point in time. Catherine, can you leave a comment in the terraform creating the ACL for Cognito WAF explaining why we didn't include these two rule sets.
MCatherine1994
commented
1 year ago sure, I'll add the comment in the follow up terraform ticket, and add a task to add a comment in terraform
We don't have any Web Application Firewall (WAF) and Web ACL at this moment, might need to create one for security reason.
See Confluence document for recommended base set of rules to apply. (https://apps.nrs.gov.bc.ca/int/confluence/display/FSAST1/Improving+Security)
Scoped to only AWS console build of the WAF; Terraform scraping and inclusion to follow.
AC: A WAF is configured with the recommended rule sets.