AWS integration

AWS WAF (Web Application Firewall) is a service offered by Amazon Web Services (AWS) that helps protect web applications from common web exploits that could affect their availability, compromise security, or consume excessive resources. It allows customers to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting (XSS) attacks, as well as to define customized rules that protect against more specific threats. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service provided by AWS. It is designed to protect web applications running on AWS against DDoS attacks. 

Together, AWS WAF and Shield can be used to provide a comprehensive defense against web-based attacks and ensure the availability and security of web applications running on AWS. Traceable provides an integration with AWS. You can choose from an agentless or agent-based deployment option. For more information on Traceable agents, see the Installation section. Traceable's integration with AWS supports the following two types of rules:

• IP range rules
• Threat actor rules

When the configuration is complete, the corresponding rules are added to the AWS platform.

The following is a high-level integration diagram:

The threat actor module detects malicious activities as threats. The Custom Policy Module is used to set custom policies. Only IP Range policy is supported.

Before you begin

Make a note of the following before proceeding with AWS WAF integration:

• Make sure that you have access to AWS Access Key ID and AWS Secret Access Key from AWS management console.
• Make sure that you have the Web ACL ARN for the resource that you wish to integrate Traceable with. You can apply the Traceable rules for a region or for CloudFront resources.
• The document assumes that you have reasonable knowledge of AWS management console, for example, how to create Web ACLs, access key, secret key, and so on.

AWS permissions

Make a note of the following IAM permissions required:

Note that IPSets and RuleGroup are created, updated, and deleted, while WebACL are only updated. You need access to these resources in the corresponding regions while setting up the WAF. 

Sample policy

Following is a sample policy to help you configure various permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "IPSetStatement",
            "Effect": "Allow",
            "Action": [
                "wafv2:GetIPSet",
                "wafv2:CreateIPSet",
                "wafv2:UpdateIPSet",
                "wafv2:DeleteIPSet"
            ],
            "Resource": [
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/ipset/*/*"
            ]
        },
        {
            "Sid": "RuleGroupStatement",
            "Effect": "Allow",
            "Action": [
                "wafv2:GetRuleGroup",
                "wafv2:CreateRuleGroup",
                "wafv2:UpdateRuleGroup",
                "wafv2:DeleteRuleGroup"
            ],
            "Resource": [
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/rulegroup/*/*",
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/ipset/*/*"
            ]
        },
        {
            "Sid": "WebACLStatement",
            "Effect": "Allow",
            "Action": [
                "wafv2:GetWebACL",
                "wafv2:UpdateWebACL"
            ],
            "Resource": [
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/webacl/*/*"
                "arn:aws:wafv2:*:<AWS_ACCOUNT_ID>:*/rulegroup/*/*"
            ]
        },
        {
            "Sid": "ListStatement",
            "Effect": "Allow",
            "Action": [
                "wafv2:ListRuleGroups",
                "wafv2:ListIPSets"
            ],
            "Resource": "*"
        }
    ]
}

Configuration

To integrate Traceable with AWS WAF, complete the following steps:

1. Navigate to Integrations → WAF menu and click Configure on the AWS card. 
2. In the integration window, provide all the details. The Description field is mandatory. You can add one or more than one resource, as shown in the screenshot. 
3. Choose the Action Type from the drop-down list. You can select from Allow or Block, or Count. 
   1. Allow or block - The allow or block action is decided based on the IP range rules. These rules are configured as part of Malicious source policy. 
   2. Count - When you select Count, none of the requests are blocked, or in other words, it acts like an allow all rule. The Count action applies to the existing blocked IP addresses and rules as well. In this case, only metrics are recorded. For more information on Count, see AWS documentation.
4. Click on Save. You can view the AWS WAF integration in the integration dashboard.

Enable IP rules

Once the integration configuration is complete, enable the IP rules that you would like to synchronize with AWS WAF. Navigate to Protection → Custom Policy → Malicious Sources tab to configure or enable IP rules. You can either enable an already existing policy, or you can create a new policy by clicking on the Add Policy button. In the screenshot below, an already existing policy (AWS IP Set Rules) was enabled after AWS WAF integration was completed.

You edit or view the policy to add or view the existing policy. For example, in the below screenshot, we see that the IP address range 117.254.1.136/32 has been configured. All the requests coming from this range of IP addresses would be blocked. 

View the Traceable policy in AWS WAF

When the Traceable policy is propagated to AWS WAF, it is shown as TraceableRules. To view the IP addresses sent from Traceable, log in to your AWS management console and navigate to WAF & Shield. Click on Rule groups inside AWS WAF menu. 

Click on TraceableRules. On the TraceableRules page, click on the name of the rule. All the rules that were enabled in Traceable are displayed here. Click on rule to view the details. 

You can also view the IP address by clicking on the Web ACLs or IP sets under AWS WAF.