AWS WAF

AWS WAF is a web application firewall that lets you monitor the HTTP(S) requests that are forwarded to your protected web application resources. AWS WAF lets you control access to your content.

To learn more about the service see the AWS WAF documentation.

Prerequisites

Permissions

Administrator role in AWS to configure WAF accounts and services
"Organization Admin" role in MD.ECO

Prefixes offered by default

Currently, it is not possible to specify a prefix like "WAF". This is why we suggest using a separate S3 Bucket.

The logs will be saved in the S3 bucket with the following structure: AWSLogs/{{OrgID}}/WAFLogs/{{Region}}/{{WafName}}/

Prerequisite Variables

{{S3WAFAuditBucketName}}: Name of the bucket which will be used for the transfer of logs with MD.ECO, to be created beforehand with the "S3 Implementation - Basic configuration of an S3 Bucket" procedure;

caution
Bucket name {{S3WAFAuditBucketName}} must start with aws-waf-logs-
Ex: aws-waf-logs-{{SingleValue}}
Reference: Amazon Simple Storage Service - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced
{{MondataOrgID}}: Identifier provided by Mondata for security configuration;
{{WAFAccountOrgID}}: Identifiers of the organization where WAFs are configured. If there are multiple accounts: replicate configuration blocks;
{{Region}}: The region in which the WAF Accounts are located.

Configuration steps

Configuration of the S3 Bucket (Organizational Audit)

{
    "Sid": "AWSLogDeliveryWrite",
    "Effect": "Allow",
    "Principal": {
        "Service": "delivery.logs.amazonaws.com"
    },
    "Action": "s3:PutObject",
    "Resource": "arn:aws:s3:::{{S3WAFAuditBucketName}}/AWSLogs/{{WAFAccountOrgID}}/*",
    "Condition": {
        "StringEquals": {
            "aws:SourceAccount": "{{WAFAccountOrgID}}",
            "s3:x-amz-acl": "bucket-owner-full-control"
        },
        "ArnLike": {
            "aws:SourceArn": "arn:aws:logs:{{Region}}:{{WAFAccountOrgID}}:*"
        }
    }
},
{
    "Sid": "AWSLogDeliveryAclCheck",
    "Effect": "Allow",
    "Principal": {
        "Service": "delivery.logs.amazonaws.com"
    },
    "Action": "s3:GetBucketAcl",
    "Resource": "arn:aws:s3:::{{S3WAFAuditBucketName}}",
    "Condition": {
        "StringEquals": {
            "aws:SourceAccount": "{{WAFAccountOrgID}}"
        },
        "ArnLike": {
            "aws:SourceArn": "arn:aws:logs:{{Region}}:{{WAFAccountOrgID}}:*"
        }
    }
}

RNA recovery

Run the following command to retrieve the list of ARNs for all of your WAFs:

aws wafv2 list-web-acls --scope REGIONAL

Configuring logging

Reproduce the following configuration for all the WAFs to monitor. Replace the following variables

{{WAFARN}}: Replace the value with each WAF ARN that you retrieved in the previous section.
{{S3WAFAuditBucketName}}: Name of the bucket which will be used for the transfer of logs with MD.ECO created earlier.

aws wafv2 put-logging-configuration --logging-configuration 
{
    "LoggingConfiguration": {
        "ResourceArn": "{{WAFARN}}",
        "LogDestinationConfigs": [
            "{{S3WAFAuditBucketName}}"
        ]
    }
}

Notify Mondata with instance information

Include the following information:

{{S3WAFAuditBucketName}}

Prerequisites​

Permissions​

Prefixes offered by default​

Prerequisite Variables​

Configuration steps​

Configuration of the S3 Bucket (Organizational Audit)​

RNA recovery​

Configuring logging​

Notify Mondata with instance information​