Module: WAF ACL - Githubissues

patheard commented 3 years ago

Create a Web Application Firewall Access Control List module with sane defaults and priorities.

Examples:

cgye commented 1 year ago

Adding some notes here as I look into waf use case for url-shortener.

Security Requirements (WIP):

IP ranges whitelisting
Logging
- Services in AWS (& Azure) must log to S3 to comply with CCCS's Cloud Based Sensor
- Field redaction

Notes:

WAF should allow Route 53 health check
- most efficiently done using IP ranges whitelisting, see: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/route-53-ip-addresses.html
WAF should have metric filter to count blocked requests, allowed request.
Logging should be enabled so that blocked requests can be analyzed.
- logging is superior to request sampling; provides more details about blocked requests.
- retention of 90 days is sufficient (TBD: is there any policy about data retention?)
- there will likely be requirements to redact certain fields.
Using a common set of AWS provided rules would make sense.
Pay attention to WAF WCU: https://docs.aws.amazon.com/waf/latest/developerguide/aws-waf-capacity-units.html
- regex is more expensive

patheard commented 1 year ago

Thanks for putting together the list @cgye! Here are some snippets of Terraform from other projects that might help:

IP range safelisting.
Kinesis Firehose + S3 bucket logging for the WAF (and associate IAM role). We use S3 buckets so we're able to use CCCS's Cloud Based Sensor which is a bit unfortunate since CloudWatch WAF logging is a nicer user experience. We do have an Athena module to help compensate for this though.
Field redaction.

cds-snc / terraform-modules