Waf on dKade's noteshttps://dkade.com/tags/waf/Recent content in Waf on dKade's notesHugo -- gohugo.ioendkade@dkade.com (Daniel Loureiro)dkade@dkade.com (Daniel Loureiro)Thu, 11 Mar 2021 00:00:00 +0000Tips and lessons learnt by using AWS FMS and WAFv2https://dkade.com/posts/aws_tips_waf_fms/Thu, 11 Mar 2021 00:00:00 +0000dkade@dkade.com (Daniel Loureiro)https://dkade.com/posts/aws_tips_waf_fms/<ul> <li>Properly plan for your WAF logs, this will be the hardest part;</li> <li>Logs are activated per WebACL so each account needs to have a properly configured Kinesis Data Firehose. It is possible to enable the logs from FMS</li> <li>When creating Cloudformation stack make sure you make resources dependent on another or WAF will quickly rate limit Cloudformation and your stack will fail</li> <li>Use JSON in Cloudformation if you have accounts starting with 0. PyYAML has a <a href="https://github.com/yaml/pyyaml/issues/98">bug</a></li> <li>Instead of Cloudformation you can use Terraform (when I started building the solution this wasn&rsquo;t possible)</li> <li>Before activating an account on a FMS Policy, make sure that account has AWS Config enabled</li> <li>Use AWS Managed rules as they are created with standards in mind for example protecting from <a href="https://owasp.org/www-project-top-ten/">OWASP Top 10</a></li> <li>AWS WAF uses web ACL capacity units and you are limited to 1500, you can request increase but it&rsquo;s not simple, so plan accordingly because if you need to change the WCU capacity of a Rule group you have to create a new one and delete the old one</li> <li>Rate limit rules can ONLY be added to WebACLs and are related to that WebACL. There is no option at the moment to add them to FMS, we are working with AWS to change this;</li> </ul>
  • Properly plan for your WAF logs, this will be the hardest part;
  • Logs are activated per WebACL so each account needs to have a properly configured Kinesis Data Firehose. It is possible to enable the logs from FMS
  • When creating Cloudformation stack make sure you make resources dependent on another or WAF will quickly rate limit Cloudformation and your stack will fail
  • Use JSON in Cloudformation if you have accounts starting with 0. PyYAML has a bug
  • Instead of Cloudformation you can use Terraform (when I started building the solution this wasn’t possible)
  • Before activating an account on a FMS Policy, make sure that account has AWS Config enabled
  • Use AWS Managed rules as they are created with standards in mind for example protecting from OWASP Top 10
  • AWS WAF uses web ACL capacity units and you are limited to 1500, you can request increase but it’s not simple, so plan accordingly because if you need to change the WCU capacity of a Rule group you have to create a new one and delete the old one
  • Rate limit rules can ONLY be added to WebACLs and are related to that WebACL. There is no option at the moment to add them to FMS, we are working with AWS to change this;
    • ]]>    How OLX Europe Fights Millions of Bots with AWShttps://dkade.com/posts/olx_aws_post_/Mon, 08 Mar 2021 00:00:00 +0000dkade@dkade.com (Daniel Loureiro)https://dkade.com/posts/olx_aws_post_/<p>My latest work done in OLX was featured by AWS on their own blog! I&rsquo;m really happy with it. I talk about using AWS Firewall Manager + WAFv2 and in house tools to fight attacks. A big kudos to <a href="https://www.linkedin.com/in/gabrielsoltz/">Gabril Soltz</a> for his amazing work with the WAFBot.</p> <p>Read more at -&gt; <a href="https://aws.amazon.com/blogs/architecture/field-notes-how-olx-europe-fights-millions-of-bots-with-aws/">https://aws.amazon.com/blogs/architecture/field-notes-how-olx-europe-fights-millions-of-bots-with-aws/</a></p>My latest work done in OLX was featured by AWS on their own blog! I’m really happy with it. I talk about using AWS Firewall Manager + WAFv2 and in house tools to fight attacks. A big kudos to Gabril Soltz for his amazing work with the WAFBot.

    Read more at -> https://aws.amazon.com/blogs/architecture/field-notes-how-olx-europe-fights-millions-of-bots-with-aws/

    ]]>