March 11, 2021

Tips and lessons learnt by using AWS FMS and WAFv2

  • Properly plan for your WAF logs, this will be the hardest part;
  • Logs are activated per WebACL so each account needs to have a properly configured Kinesis Data Firehose. It is possible to enable the logs from FMS
  • When creating Cloudformation stack make sure you make resources dependent on another or WAF will quickly rate limit Cloudformation and your stack will fail
  • Use JSON in Cloudformation if you have accounts starting with 0. PyYAML has a bug
  • Instead of Cloudformation you can use Terraform (when I started building the solution this wasn’t possible)
  • Before activating an account on a FMS Policy, make sure that account has AWS Config enabled
  • Use AWS Managed rules as they are created with standards in mind for example protecting from OWASP Top 10
  • AWS WAF uses web ACL capacity units and you are limited to 1500, you can request increase but it’s not simple, so plan accordingly because if you need to change the WCU capacity of a Rule group you have to create a new one and delete the old one
  • Rate limit rules can ONLY be added to WebACLs and are related to that WebACL. There is no option at the moment to add them to FMS, we are working with AWS to change this;

© dkade 2021

Powered by Hugo & Kiss.