AWS integration
  • 15 May 2024
  • 4 Minutes to read
  • PDF

AWS integration

  • PDF

Article Summary

tAWS WAF (Web Application Firewall) is a service offered by Amazon Web Services (AWS) that helps protect web applications from common web exploits that could affect their availability, compromise security, or consume excessive resources. It allows customers to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting (XSS) attacks, and to define customized rules that protect against more specific threats. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service provided by AWS. It is designed to protect web applications running on AWS against DDoS attacks.

Together, AWS WAF and Shield can provide a comprehensive defense against web-based attacks and ensure the availability and security of web applications running on AWS. Traceable provides an integration with AWS. You can choose from an agentless or agent-based deployment option. For more information on Traceable agents, see the Installation section. Traceable's integration with AWS supports the following two types of rules:

  • IP range rules

  • Threat actor rules

The corresponding rules are added to the AWS platform when the configuration is complete. The following is a high-level integration diagram:

The threat actor module detects malicious activities as threats. The Custom Policy Module sets custom policies. Only the IP Range policy is supported.


Before you begin

Make a note of the following before proceeding with AWS WAF integration:

  • Make sure that you have access to the AWS Access Key ID and AWS Secret Access Key from the AWS management console.

  • Make sure that you have the Web ACL ARN for the resource you wish to integrate Traceable with. You can apply the Traceable rules for a region or for CloudFront resources.

  • The document assumes that you have reasonable knowledge of the AWS management console, for example, how to create Web ACLs, access key, secret key, and so on.

AWS permissions

Make a note of the following IAM permissions required:

AWS service

Actions

RuleGroup

WAFv2

CreateRuleGroup

WAFv2

UpdateRuleGroup

WAFv2

GetRuleGroup

WAFv2

ListRuleGroups

WAFv2

DeleteRuleGroup

IPSet

WAFv2

GetIPSet

WAFv2

CreateIPSet

WAFv2

UpdateIPSet

WAFv2

ListIPSets

WAFv2

DeleteIPSet

WebACL

WAFv2

UpdateWebACL

WAFv2

GetWebACL

Note that IPSets and RuleGroup are created, updated, and deleted while WebACL are only updated. You need access to these resources in the corresponding regions while setting up the WAF. 

Note

For the WebACL statement, make sure to add RuleGroup permission also in that region so that Traceable RuleGroup can be associated with the WebACL.

Sample policy

Following is a sample policy to help you configure various permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "IPSetStatement",
            "Effect": "Allow",
            "Action": [
                "wafv2:GetIPSet",
                "wafv2:CreateIPSet",
                "wafv2:UpdateIPSet",
                "wafv2:DeleteIPSet"
            ],
            "Resource": [
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/ipset/*/*"
            ]
        },
        {
            "Sid": "RuleGroupStatement",
            "Effect": "Allow",
            "Action": [
                "wafv2:GetRuleGroup",
                "wafv2:CreateRuleGroup",
                "wafv2:UpdateRuleGroup",
                "wafv2:DeleteRuleGroup"
            ],
            "Resource": [
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/rulegroup/*/*",
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/ipset/*/*"{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "IPSetStatement",
            "Effect": "Allow",
            "Action": [
                "wafv2:GetIPSet",
                "wafv2:CreateIPSet",
                "wafv2:UpdateIPSet",
                "wafv2:DeleteIPSet"
            ],
            "Resource": [
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/ipset/*/*"
            ]
        },
        {
            "Sid": "RuleGroupStatement",
            "Effect": "Allow",
            "Action": [
                "wafv2:GetRuleGroup",
                "wafv2:CreateRuleGroup",
                "wafv2:UpdateRuleGroup",
                "wafv2:DeleteRuleGroup"
            ],
            "Resource": [
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/rulegroup/*/*",
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/ipset/*/*"
            ]
        },
        {
            "Sid": "WebACLStatement",
            "Effect": "Allow",
            "Action": [
                "wafv2:GetWebACL",
                "wafv2:UpdateWebACL"
            ],
            "Resource": [
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/webacl/*/*",
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/rulegroup/*/*",
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/managedruleset/*/*"
            ]
        },
        {
            "Sid": "ListStatement",
            "Effect": "Allow",
            "Action": [
                "wafv2:ListRuleGroups",
                "wafv2:ListIPSets"
            ],
            "Resource": "*"
        }
    ]
}

Configuration

To integrate Traceable with AWS WAF, complete the following steps:

  1. Navigate to Integrations → WAF menu and click Configure on the AWS card. 

  2. In the integration window, provide all the details. The Description field is mandatory. You can add one or more than one resource, as shown in the screenshot. 

  3. Select the environment from the Environments drop-down list. You can select one or more environments to integrate AWS WAF.

    Note

    You can have multiple integrations for the same environment, if the WebACL ARN numbers are different.

  4. Choose the Action Type and Target Type from the drop-down list.

    • Action Type: You can select from Allow or Block, or Count.

      • Allow or block - The allow or block action is decided based on the IP range rules. These rules are configured as part of the Malicious source policy

      • Count - When you select Count, none of the requests are blocked; in other words, it acts like an allow-all rule. The Count action also applies to the existing blocked IP addresses and rules. In this case, only metrics are recorded. For more information on Count, see AWS documentation.

    • Target Type: You can select one or more targets from Threat Actors, Malicious Sources IP Range, and Custom Signature. Only the selected rules from these are exported to AWS WAF.

  5. Click on Save. You can view the AWS WAF integration in the integration dashboard.


Enable IP rules

Once the integration configuration is complete, enable the IP rules that you would like to synchronize with AWS WAF. Navigate to Protection → Custom Policy → Malicious Sources tab to configure or enable IP rules. You can enable an existing policy or create a new one by clicking on the Add Policy button. The screenshot below shows an already existing policy (AWS IP Set Rules) was enabled after AWS WAF integration was completed.

Note:

Only policies that are created, enabled, or disabled after the integration is completed are propagated to AWS WAF. Policies that were already enabled before the integration was completed are not propagated to AWS WAF.

You edit or view the policy to add or view the existing policy. For example, in the below screenshot, we see that the IP address range 117.254.1.136/32 has been configured. All the requests coming from this range of IP addresses would be blocked. 


View the Traceable policy in AWS WAF

When the Traceable policy is propagated to AWS WAF, it is shown as TraceableRules. To view the IP addresses sent from Traceable, log in to your AWS management console and navigate to  WAF & Shield. Click on Rule groups inside the AWS WAF menu. 

Click on TraceableRules. On the TraceableRules page, click on the name of the rule. All the rules that were enabled in Traceable are displayed here. Click on the rule to view the details. 

You can also view the IP address by clicking on the Web ACLs or IP sets under AWS WAF.


Was this article helpful?