Web Application Firewall (WAF)
Overview
Depot Gateway resources such as the API and IAM Gateway can be protected with a Web Application Firewall (WAF). WebSocket and Lambda Gateway resources do not support a WAF configuration.
Simple Configuration
Here is an example of a simple, all default WAF configuration for a Depot Gateway:
new Gateway.API(stack, "ApiGateway", {
environment: depotEnvironment,
firewall: {}
});
The above configuration will enable the standard selection of AWS Managed WAF Rules.
Custom Configuration
If you wish to provide a custom block list of IP addresses, or wish to override the default set of AWS Managed WAF rules that Depot provides you can do this too. Custom IP Blocking
The configuration below will block a range of IP addresses in the 1.2.3.0/16 mask, 10.10.0.1/24 mask, and the specific IP address, 1.2.3.4.
firewall: {
ipAddresses: {
blocked: [
"1.2.3.0/16",
"10.10.0.1/24",
"1.2.3.4/32"
]
}
}
If you want to reverse the logic, providing only a list of whitelisted IP addresses (or ranges) will instead block everything but the whitelisted IP addresses. The WAF's Web ACL default action will become 'block', with the allowed IP addresses being whitelisted.
firewall: {
ipAddresses: {
allowed: [
"192.168.100.0/24",
"89.105.34.0/24",
"71.14.67.12/32"
]
}
}
Custom AWS Managed Rule Selection
To customise the AWS Managed WAF Rule Selection, replacing the default selection we provide, you just need to pass in a list of managed rules, which are defined in an enum type for convenience.
First, import the enum type:
import { StageDepotAwsManagedWafRule } from "@stage-tech/depot-cdk";
Provide the managedRules configuration along with your gateway configuration:
firewall: {
managedWafRules: [
StageDepotAwsManagedWafRule.AWSManagedRulesCommonRuleSet,
StageDepotAwsManagedWafRule.AWSManagedRulesAdminProtectionRuleSet
]
}
Log4j2 CVE-2021-44228 Vulnerability Example Configuration
To enable a configuration that should help protect against this vulnerability (https://aws.amazon.com/security/security-bulletins/AWS-2021-005/), here is a simple configuration to start with:
firewall: {
managedWafRules: [
StageDepotAwsManagedWafRule.AWSManagedRulesKnownBadInputsRuleSet
]
}
If you have not used WAF with your Depot environment in the past, it might be a good idea to start with a minimal configuration such as the above. RuleSets will always introduce a variety of new blocking behaviours, and you risk blocking otherwise valid requests each time you introduce largely scoped new rules (e.g. StageDepotAwsManagedWafRule.AWSManagedRulesCommonRuleSet can introduce request and query string size restrictions which could potentially play havoc with large GraphQL schemas and introspection.
AWS Managed WAF Rules
A default WAF managedRules selection (used if you do not specify this property) will add all Depot exposed AWS Managed rule sets. Each rule set 'costs' a certain number of WCUs (capacity units). See the AWS docs for more information about how these work, and how much WCUs cost.
These are the AWS Managed rule sets that are enabled by default if you do not choose a specific selection yourself:
AWSManagedRulesCommonRuleSet
The Core rule set (CRS) rule group contains rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including high risk and commonly occurring vulnerabilities described in OWASP publications. Consider using this rule group for any AWS WAF use case. WCU cost = 700
AWSManagedRulesAdminProtectionRuleSet
The Admin protection rule group contains rules that allow you to block external access to exposed administrative pages. This might be useful if you run third-party software or want to reduce the risk of a malicious actor gaining administrative access to your application. WCU cost = 100
AWSManagedRulesKnownBadInputsRuleSet
The Known bad inputs rule group contains rules to block request patterns that are known to be invalid and are associated with exploitation or discovery of vulnerabilities. This can help reduce the risk of a malicious actor discovering a vulnerable application. WCU cost= 200
AWSManagedRulesAmazonIpReputationList
The Amazon IP reputation list rule group contains rules that are based on Amazon internal threat intelligence. This is useful if you would like to block IP addresses typically associated with bots or other threats. Blocking these IP addresses can help mitigate bots and reduce the risk of a malicious actor discovering a vulnerable application. WCU cost = 25