AWS integration
  • 23 Mar 2023
  • 2 Minutes to read
  • PDF

AWS integration

  • PDF

Article Summary

AWS WAF (Web Application Firewall) is a service offered by Amazon Web Services (AWS) that helps protect web applications from common web exploits that could affect their availability, compromise security, or consume excessive resources. It allows customers to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting (XSS) attacks, as well as to define customized rules that protect against more specific threats. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service provided by AWS. It is designed to protect web applications running on AWS against DDoS attacks. 

Together, AWS WAF and Shield can be used to provide a comprehensive defense against web-based attacks and ensure the availability and security of web applications running on AWS. Traceable provides an integration with AWS. You can choose from an agentless or agent-based deployment option. For more information on Traceable agents, see the Installation section. Traceable's integration with AWS supports the following two types of rules:

  • IP range rules
  • Threat actor rules

When the configuration is complete, the corresponding rules are added to the AWS platform.

The following is a high-level integration diagram:

The threat actor module detects malicious activities as threats. The Custom Policy Module is used to set custom policies. Only IP Range policy is supported.


Before you begin

Make a note of the following before proceeding with AWS WAF integration:

  • Make sure that you have access to AWS Access Key ID and AWS Secret Access Key from AWS management console.
  • Make sure that you have the Web ACL ARN for the resource that you wish to integrate Traceable with. You can apply the Traceable rules for a region or for CloudFront resources.
  • The document assumes that you have reasonable knowledge of AWS management console, for example, how to create Web ACLs, access key, secret key, and so on.

Configuration

To integrate Traceable with AWS WAF, complete the following steps:

  1. Navigate to Integrations menu and click Configure on the AWS card. 
  2. In the integration window, provide all the details. The Description field is mandatory. You can add one or more than one resource, as shown in the screenshot. 
  3. Click on Save. You can view the AWS WAF integration in the integration dashboard.

Enable IP rules

Once the integration configuration is complete, enable the IP rules that you would like to synchronize with AWS WAF. Navigate to Protection → Custom Policy → Malicious Sources tab to configure or enable IP rules. You can either enable an already existing policy, or you can create a new policy by clicking on the Add Policy button. In the screenshot below, an already existing policy (AWS IP Set Rules) was enabled after AWS WAF integration was completed.

Note:
Only policies that are created, enabled, or disabled after the integration is completed are propagated to AWS WAF. Policies that were already enabled before the integration is completed are not propagated to AWS WAF.

You edit or view the policy to add or view the existing policy. For example, in the below screenshot, we see that the IP address range 117.254.1.136/32 has been configured. All the requests coming from this range of IP addresses would be blocked. 


View the Traceable policy in AWS WAF

When the Traceable policy is propagated to AWS WAF, it is shown as TraceableRules. To view the IP addresses sent from Traceable, log in to your AWS management console and navigate to WAF & Shield. Click on Rule groups inside AWS WAF menu. 

Click on TraceableRules. On the TraceableRules page, click on the name of the rule. All the rules that were enabled in Traceable are displayed here. Click on rule to view the details. 

You can also view the IP address by clicking on the Web ACLs or IP sets under AWS WAF.


Was this article helpful?