AWS integration

AWS WAF (Web Application Firewall) is a service offered by Amazon Web Services (AWS) that helps protect web applications from common web exploits that could affect their availability, compromise security, or consume excessive resources. It allows customers to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting (XSS) attacks, and to define customized rules that protect against more specific threats. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service provided by AWS. It is designed to protect web applications running on AWS against DDoS attacks.

Together, AWS WAF and Shield can provide a comprehensive defense against web-based attacks and ensure the availability and security of web applications running on AWS. Traceable provides an integration with AWS. You can choose from an agentless or agent-based deployment option. For more information on Traceable agents, see the Installation section. Traceable's integration with AWS supports the following types of rules:

• IP range rules

• Threat actor rules

• Custom signature rules

The corresponding rules are added to the AWS platform when the configuration is complete. The following is a high-level integration diagram:

The Threat Actor module identifies and flags malicious activities as threats. The Custom Policy module allows for the creation of custom policies, currently supporting only the IP Range policy for WAF.

Before you begin

Make a note of the following before proceeding with AWS WAF integration:

• Ensure you have access to the AWS Access Key ID and AWS Secret Access Key from the AWS management console.

• Ensure you have the Web ACL ARN for the resource you wish to integrate Traceable. You can apply the Traceable rules for a region or CloudFront resources.

• The document assumes that you have reasonable knowledge of the AWS management console, for example, how to create Web ACLs, access key, secret key, and so on.

AWS permissions

Make a note of the following IAM permissions required:

Note that IPSets and RuleGroup are created, updated, and deleted while WebACL are only updated. You need access to these resources in the corresponding regions while setting up the WAF. 

Sample policy

Following is a sample policy to help you configure various permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "IPSetStatement",
            "Effect": "Allow",
            "Action": [
                "wafv2:GetIPSet",
                "wafv2:CreateIPSet",
                "wafv2:UpdateIPSet",
                "wafv2:DeleteIPSet"
            ],
            "Resource": [
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/ipset/*/*"
            ]
        },
        {
            "Sid": "RuleGroupStatement",
            "Effect": "Allow",
            "Action": [
                "wafv2:GetRuleGroup",
                "wafv2:CreateRuleGroup",
                "wafv2:UpdateRuleGroup",
                "wafv2:DeleteRuleGroup"
            ],
            "Resource": [
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/rulegroup/*/*",
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/ipset/*/*"
            ]
        },
        {
            "Sid": "WebACLStatement",
            "Effect": "Allow",
            "Action": [
                "wafv2:GetWebACL",
                "wafv2:UpdateWebACL"
            ],
            "Resource": [
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/webacl/*/*",
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/rulegroup/*/*",
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/managedruleset/*/*"
            ]
        },
        {
            "Sid": "ListStatement",
            "Effect": "Allow",
            "Action": [
                "wafv2:ListRuleGroups",
                "wafv2:ListIPSets"
            ],
            "Resource": "*"
        }
    ]
}

Configuration

To integrate Traceable with AWS WAF, complete the following steps:

1. Navigate to Integrations → WAF menu and click Configure on the AWS card. 

   

2. In the integration window, provide all the details. The Description field is mandatory. You can add one or more than one resource, as shown in the screenshot. 

   

3. Select the environment from the Environments drop-down list. You can select one or more environments to integrate AWS WAF.

   Note

   You can have multiple integrations for the same environment, if the WebACL ARN numbers are different.

4. Choose the Action Type and Target Type from the drop-down list.

   • Action Type: You can select from Allow or Block, or Count.

     • Allow or block - The allow or block action is decided based on the IP range rules. These rules are configured as part of the Malicious source policy. 

     • Count - When you select Count, none of the requests are blocked; in other words, it acts like an allow-all rule. The Count action also applies to the existing blocked IP addresses and rules. In this case, only metrics are recorded. For more information on Count, see AWS documentation.

   • Target Type: You can select one or more targets from Threat Actors, Malicious Sources IP Range, and Custom Signature. Only the selected rules from these are exported to AWS WAF.

5. Click on Save. You can view the AWS WAF integration in the integration dashboard.

   

Enable IP rules

Once the integration configuration is complete, enable the IP rules you want to synchronize with AWS WAF. Navigate to Protection → Custom Policy → Malicious Sources tab to configure or enable IP rules. You can enable an existing policy or create a new one by clicking the Add Policy button. The screenshot below shows an already existing policy (AWS IP Set Rules) was enabled after AWS WAF integration was completed.

You edit or view the policy to add or view the existing policy. For example, the screenshot below shows that the IP address range 117.254.1.136/32 has been configured. All requests coming from this range of IP addresses will be blocked. 

Threat rules

Traceable synchronizes the users who have been moved to the Deny list. You can view the list of threat actors in the deny list by navigating to Protection → Threat actors. Click the Denylist tab to view the list of threat actors. This list gets synchronized with AWS WAF.

Custom signatures

You can configure custom signatures that you can use in detection.  The custom signature rule helps fine-tune the protection strategy by having granular control over the types of events generated and requests blocked. These rules apply globally to all the APIs. You can create custom rules for different parts of a request, for example:

• Request URL

• Request header name

• Request header value

• Request parameter value

• Request HTTP method

• Request Host and UserAgent

• Request body

• Request cookie name

• Request cookie value

Note

AWS does not support mapping for Request Header and Request Cookie in Custom signature rules.

Navigate to Protection → Settings → Custom policy and click the Custom signature tab to create a Custom Signature policy. For more information, see Custom Signature.

View the Traceable policy in AWS WAF

When the Traceable policy is propagated to AWS WAF, it is shown as TraceableRules. To view the IP addresses sent from Traceable, log in to your AWS management console and navigate to  WAF & Shield. Click on Rule groups inside the AWS WAF menu. 

Click on TraceableRules. On the TraceableRules page, click on the name of the rule. All the rules that were enabled in Traceable are displayed here. Click on the rule to view the details. 

You can also view the IP address by clicking on the Web ACLs or IP sets under AWS WAF.