Closed spgreenberg closed 2 years ago
I'm starting the SCR work for this since we have some rules already in place we need to document.
The rules are going to take a lot of hashing out as customer impact will be hard to gauge, and I don't know if one can get any insight into what the details are of the AWS-managed rulesets.
@spgreenberg Could you review the SCR at https://docs.google.com/document/d/1roNkZwfMZhxWwY9J9GYXatHm0YyBP-e4SP3i6mpg8oE/edit# or is there another engineer more appropriate for that? I'm happy to jump on a call discuss.
@eddietejeda are you OK with signing the above SCR? If we can get it over to FedRAMP this afternoon it removes the potential for another week's wait.
@pburkholder Everything looks good except for one clarification. DDOS protection is provided by AWS Shield. Unfortunately, I don't see Shield on the Fedramp list but I believe GSA is using Shield elsewhere.
I added DDOS as even a naive WAF will blunt some of the impact of a DDOS, which we saw ourselves with the me6
incident. But removing it from the SCR reduces the # of updates to make, leaves us a better case for shield down the line, and we still have the benefit.
I have pinged Marcus as managed rulesets don't show up in GovCloud yet despite the interface being updated to v2. I will report back as soon as I hear from him.
I have feedback from JAB that I need to respond to. Unblocking while I do so.
Moving to blocked today to lower WIP while I complete work before 3PAO starts secrets assessment.
I started a new SCR but I'm stuck until we determine how we'll disentangle our customer and control plane traffic, particularly WRT to the CloudFront routing. The https://github.com/cloud-gov/private/issues/171 work needs to move forward first.
We can start with the AWS Managed Core Rule Set
described as: "Contains rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including those described in OWASP publications."
Additionally, it appears Terraform has added support for WAF v2 managed rulesets: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl. We should be able to manage this in cg-provision. I am looking at this in detail now.
Ooooh -- terraform support opens the door to brokered support 😍
On Mon, Dec 14, 2020 at 6:24 PM Steve Greenberg notifications@github.com wrote:
We can start with the AWS Managed Core Rule Set described as: "Contains rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including those described in OWASP publications."
Additionally, it appears Terraform has added support for WAF v2 managed rulesets: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl. We should be able to manage this in cg-provision. I am looking at this in detail now.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cloud-gov/product/issues/1311#issuecomment-744792690, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJHWCW7A6L635NOSR3YJRLSU2NCTANCNFSM4LBOTBJQ .
*Peter Burkholder | *cloud.gov https://cloud.gov compliance & security please use cloud-gov-compliance@gsa.gov for cloud.gov matters
202-709-2028 <(202)%20209-2028> | peter.burkholder@gsa.gov peter.burkholder@gsa.gov
| pronouns he-him https://www.mypronouns.org/he-him Free/Busy Calendar https://calendar.google.com/calendar/embed?src=peter.burkholder@gsa.gov
The terraform provider requires TF v 0.13 or greater. We are currently on v0.11 and therefore are pausing on this so we can discuss options as a team.
See: Malicious Traffic Protection doc for details.
Originally named: "Create and authorize WAF in GovCloud for API and customer apps" - renaming to: Authorize and implement WAF in GovCloud for cloud.gov control plane
We are not implementing customer WAF at the ALB level, as we can't pick rules that would free from impacting them.
Desired outcomes:
Implementation sketch
cf domains
app
ALB in COUNT mode, monitor