Summary Prerequisites and limitations Tools Epics Related resources

Restrict access based on IP address or geolocation by using AWS WAF

Created by Louis Hourcade (AWS)

Code repository: Github Repository in aws-samples	Environment: PoC or pilot	Technologies: Security, identity, compliance; Web & mobile apps
AWS services: AWS CDK; AWS WAF

Summary

AWS WAF is a web application firewall that helps protect web applications and APIs against common web exploits and bots that can affect availability, compromise security, or consume excessive resources. Web access control lists (web ACLs) in AWS WAF give you control over how traffic reaches your applications. In a web ACL, you add rules or rule groups that are designed to permit legitimate traffic, control bot traffic, and block common attack patterns. For more information, see How AWS WAF works.

You can associate the following types of rules to your AWS WAF web ACLs:

Managed rule groups – AWS Managed Rules teams and AWS Marketplace sellers offer preconfigured sets of rules. Some managed rule groups are designed to help protect specific types of web applications. Others offer broad protection against known threats or common vulnerabilities.
Custom rules and custom rule groups – You can also create rules and rule groups that customize access to your web applications and APIs. For example, you can restrict traffic based on a specific list of IP addresses or on a list of countries.

By using this pattern and the associated code repository, you can use the AWS Cloud Development Kit (AWS CDK) to deploy AWS WAF web ACLs with custom rules. These rules restrict access to web application resources based on the end user's IP address or geolocation. You can also optionally attach several managed rule groups.

Prerequisites and limitations

Prerequisites

An active AWS account
Permissions to deploy AWS WAF resources
AWS CDK, installed and configured in your account
Git, installed

Limitations

You can use this pattern only in AWS Regions where AWS WAF is available. For Region availability, see AWS services by Region.

Tools

AWS services

AWS Cloud Development Kit (AWS CDK) is a software development framework that helps you define and provision AWS Cloud infrastructure in code.
AWS WAF is a web application firewall that helps you monitor HTTP and HTTPS requests that are forwarded to your protected web application resources.

Code repository

The code for this pattern is available in the GitHub IP and geolocation restriction with AWS WAF repository. The code deploys two AWS WAF web ACLs. The first is a regional web ACL that is intended for Amazon API Gateway resources. The second is global web ACL for Amazon CloudFront resources. Both web ACLs contain the following custom rules:

IPMatch blocks requests from non-allowed IP addresses.
GeoMatch blocks requests from non-allowed countries.

During deployment, you can optionally attach all of the following managed rule groups to your web ACLs:

Core rule set (CRS) – This rule group contains rules that are generally applicable to web applications. It helps protect against exploitation of a wide range of vulnerabilities, including some of the high risk and commonly occurring vulnerabilities described in OWASP publications, such as OWASP Top 10.
Admin protection – This rule group contains rules that help you block external access to exposed administrative pages.
Known bad inputs – This rule group helps block request patterns that are known to be invalid and are associated with the exploitation or discovery of vulnerabilities.
Amazon IP reputation list – This rule group contains rules that are based on Amazon internal threat intelligence. It helps you block IP addresses that are typically associated with bots or other threats.
Linux operating system managed rule group – This rule group helps block request patterns that are associated with the exploitation of Linux vulnerabilities, including Linux-specific Local File Inclusion (LFI) attacks.
SQL database managed rule group – This rule group helps block request patterns that are associated with the exploitation of SQL databases, such as SQL injection attacks.

Epics

Task Description Skills required

Task	Description	Skills required
Clone the repository.	Enter the following command to clone the IP and geolocation restriction with AWS WAF repository to your local workstation: `git clone https://github.com/aws-samples/ip-and-geolocation-restriction-with-waf-cdk.git`	Git
Configure the rules.	In the cloned repository, open the app.py file. Modify the values of the following variables to customize the rules: `aws_acccount = "AWS_ACCOUNT" region = "AWS_REGION" ip_list = ["CIDR_RANGE_1", "CIDR_RANGE_2"] geo_list = ["COUNTRY_CODE_1", "COUNTRY_CODE_2"] aws_managed_rules = True` Where: `aws_account` is the ID of the target AWS account. `region` is the target AWS Region for the web ACL for API Gateway resources. Note: The web ACL for CloudFront resources is global and will be deployed in the `us-east-1` Region. `ip_list` is the list of CIDR ranges that are allowed access. `geo_list` is the list of countries that are allowed access. For valid values, see the AWS WAF documentation. `aws_managed_rules` controls whether the managed rule groups are added to the web ACL. If this value is `True`, they are added. If this value is `False`, they are excluded. Save and close the app.py file.	General AWS, Python

Clone the repository.

Enter the following command to clone the IP and geolocation restriction with AWS WAF repository to your local workstation:


git clone https://github.com/aws-samples/ip-and-geolocation-restriction-with-waf-cdk.git

Git

Configure the rules.

In the cloned repository, open the app.py file.
Modify the values of the following variables to customize the rules:
```
aws_acccount = "AWS_ACCOUNT"
region = "AWS_REGION"
ip_list = ["CIDR_RANGE_1", "CIDR_RANGE_2"]
geo_list = ["COUNTRY_CODE_1", "COUNTRY_CODE_2"]
aws_managed_rules = True
```
Where:
- aws_account is the ID of the target AWS account.
- region is the target AWS Region for the web ACL for API Gateway resources.
  Note: The web ACL for CloudFront resources is global and will be deployed in the us-east-1 Region.
- ip_list is the list of CIDR ranges that are allowed access.
- geo_list is the list of countries that are allowed access. For valid values, see the AWS WAF documentation.
- aws_managed_rules controls whether the managed rule groups are added to the web ACL. If this value is True, they are added. If this value is False, they are excluded.
Save and close the app.py file.

General AWS, Python

Task	Description	Skills required
Bootstrap your AWS environment.	If not already done, you need to bootstrap your AWS environment before you can deploy the AWS CDK application. In the AWS CDK CLI, enter the following command to bootstrap the `us-east-1` Region: `cdk bootstrap aws://<account-id>/us-east-1` If you're deploying the web ACL for API Gateway in a Region other than `us-east-1`, enter the following command to bootstrap the target Region: `cdk bootstrap aws://<account-id>/<region>`	General AWS
Deploy the AWS CDK application.	Enter the following command to deploy the AWS CDK application: `cdk deploy --all` Wait until the AWS CloudFormation stack deployment is complete.	General AWS

Task	Description	Skills required
Confirm that the web ACLs successfully deployed.	Sign in to the AWS Management Console, and then open the AWS WAF console. In the navigation pane, choose Web ACLs. In the list of AWS Regions, choose Global (CloudFront). Verify that the new CloudFront web ACL was deployed, and confirm that it has the IP address and geolocation rules that you defined. The default name of this web ACL is `WebACLCloudfront-<ID>`. In the list of AWS Regions, choose the Region in which you deployed the stack. Verify that a new web ACL for API Gateway resources was deployed. Confirm that it has the IP address and geolocation rules that you defined. The default name of this web ACL is `WebACLApiGW-<ID>`.	General AWS
(Optional) Associate the web ACLs to your resources.	Associate the AWS WAF web ACLs with your AWS resources, such as an Application Load Balancer, API Gateway, or CloudFront distribution. For instructions, see Associating or disassociating a web ACL with an AWS resource. For an example, see class CfnWebACLAssociation (construct) in the AWS CDK documentation.	General AWS

Task	Description	Skills required
Delete the stacks.	Disassociate the web ACL from any AWS resources. For instructions, see the AWS WAF documentation. In the AWS CDK CLI, enter the following command to delete the AWS CDK application. `cdk destroy --all`	General AWS

Related resources

API Reference (AWS CDK documentation)
aws-cdk-lib.aws_wafv2 module (AWS CDK documentation)
Working with web ACLs (AWS WAF documentation)
Managing your own rule groups (AWS WAF documentation)
Rules (AWS WAF documentation)

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Prevent internet access by using an SCP

Scan Git repositories for sensitive information