部署注意事项 - AWS WAF 的安全自动化
AWS WAF 规则Web ACL 流量记录对请求组件进行超大处理多种解决方案部署部署的最低角色权限(可选)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

部署注意事项

以下各节提供了实施此解决方案的限制和注意事项。

AWS WAF 规则

此解决方案生成的 Web ACL 旨在为 Web 应用程序提供全面保护。该解决方案提供了一组 AWS 托管规则和自定义规则,您可以将其添加到 Web ACL 中。要包含规则,请在启动 CloudFormation 堆栈时选择yes相关参数。参见步骤 1。启动堆栈以获取参数列表。

注意

该 out-of-box解决方案不支持 AWS Firewall Manager。如果要使用 Firewall Manager 中的规则,我们建议您对其源代码进行自定义。

Web ACL 流量记录

如果您在美国东部(弗吉尼亚北部)以外的 AWS 区域创建堆栈并将终端节点设置为CloudFront,则必须将 “激活 HTTP 防洪保护” 设置为noyes - AWS WAF rate based rule

其他两个选项(yes - AWS Lambda log parseryes - Amazon Athena log parser)需要在所有 AWS 边缘站点上运行的 Web ACL 上激活 AWS WAF 日志,但美国东部(弗吉尼亚北部)以外地区不支持此操作。有关记录 Web ACL 流量的更多信息,请参阅 AWS WAF 开发人员指南

对请求组件进行超大处理

AWS WAF 不支持检查网络请求组件的正文、标头或 Cookie 中的超大内容。当您编写检查其中一种请求组件类型的规则语句时,您可以选择以下选项之一来告诉 AWS WAF 如何处理这些请求:

  • yes(继续)-根据规则检查标准正常检查请求组件。AWS WAF 会检查大小限制范围内的请求组件内容。这是解决方案中使用的默认选项。

  • yes - MATCH – 将 Web 请求视为与规则语句匹配。AWS WAF 将规则操作应用于请求,而不根据规则的检查标准对其进行评估。对于带有Block操作的规则,这会阻止带有超大组件的请求。

  • yes - NO_MATCH-将 Web 请求视为与规则声明不匹配,而不根据规则的检查标准对其进行评估。AWS WAF 继续使用网络 ACL 中的其余规则来检查 Web 请求,就像它对待任何不匹配的规则一样。

有关更多信息,请参阅在 AWS WAF 中处理超大的 Web 请求组件

多种解决方案部署

您可以在同一个账户和区域中多次部署该解决方案。您必须为每个部署使用唯一的 CloudFormation 堆栈名称和 Amazon S3 存储桶名称。每次单独部署都会产生额外费用,并且受每个区域每个账户的 AWS WAF 配额限制。

部署的最低角色权限(可选)

客户可以手动创建具有部署所需最低权限的 IAM 角色:

  • WAF 权限

        {
            "Effect": "Allow",
            "Action": [
                "wafv2:CreateWebACL",
                "wafv2:UpdateWebACL",
                "wafv2:DeleteWebACL",
                "wafv2:GetWebACL",
                "wafv2:ListWebACLs",
                "wafv2:CreateIPSet",
                "wafv2:UpdateIPSet",
                "wafv2:DeleteIPSet",
                "wafv2:GetIPSet",
                "wafv2:AssociateWebACL",
                "wafv2:DisassociateWebACL",
                "wafv2:PutLoggingConfiguration",
                "wafv2:DeleteLoggingConfiguration",
                "wafv2:ListWebACLs",
                "wafv2:ListIPSets",
                "wafv2:ListTagsForResource"
            ],
            "Resource": [
                "arn:aws:wafv2:*:*:regional/webacl/*",
                "arn:aws:wafv2:*:*:regional/ipset/*",
                "arn:aws:wafv2:*:*:global/webacl/*",
                "arn:aws:wafv2:*:*:global/ipset/*"
            ]
        }

  • Lambda 权限

        {
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:GetFunction",
                "lambda:InvokeFunction",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration",
                "lambda:AddPermission",
                "lambda:RemovePermission"
            ],
            "Resource": "arn:aws:lambda:*:*:function:*"
        }

  • Firehose 权限

        {
            "Effect": "Allow",
            "Action": [
                "firehose:CreateDeliveryStream",
                "firehose:DeleteDeliveryStream",
                "firehose:DescribeDeliveryStream",
                "firehose:StartDeliveryStreamEncryption",
                "firehose:StopDeliveryStreamEncryption",
                "firehose:UpdateDestination"
            ],
            "Resource": "arn:aws:firehose:*:*:deliverystream/*"
        }

  • S3 权限

        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteBucketPolicy",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:GetObject",
                "s3:PutBucketAcl",
                "s3:PutBucketPolicy",
                "s3:PutBucketPublicAccessBlock",
                "s3:PutBucketVersioning",
                "s3:PutEncryptionConfiguration",
                "s3:PutObject",
                "s3:PutBucketTagging",
                "s3:PutLifecycleConfiguration",
                "s3:AbortMultipartUpload",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:PutBucketLogging",
                "s3:GetBucketLogging"
            ],
            "Resource": "arn:aws:s3:::*"
        }

  • Athena 权限

        {
            "Effect": "Allow",
            "Action": [
                "athena:CreateWorkGroup",
                "athena:DeleteWorkGroup",
                "athena:GetWorkGroup",
                "athena:UpdateWorkGroup",
                "athena:StartQueryExecution",
                "athena:GetQueryExecution",
                "athena:GetQueryResults",
                "athena:StopQueryExecution"
            ],
            "Resource": "arn:aws:athena:*:*:workgroup/WAF*"
        }

  • Glue 权限

        {
            "Effect": "Allow",
            "Action": [
                "glue:CreateDatabase",
                "glue:DeleteDatabase",
                "glue:GetDatabase",
                "glue:GetDatabases",
                "glue:UpdateDatabase",
                "glue:CreateTable",
                "glue:DeleteTable",
                "glue:GetTable",
                "glue:GetTables",
                "glue:UpdateTable"
            ],
            "Resource": [
                "arn:aws:glue:*:*:catalog",
                "arn:aws:glue:*:*:database/*",
                "arn:aws:glue:*:*:table/*/*",
                "arn:aws:glue:*:*:userDefinedFunction/*"
            ]
        }

  • CloudWatch 日志权限

        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DeleteLogGroup",
                "logs:DeleteLogStream",
                "logs:PutRetentionPolicy",
                "logs:DescribeLogGroups"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:/aws/lambda/*",
                "arn:aws:logs:*:*:log-group:*",
                "arn:aws:logs:*:*:log-group:/aws/kinesisfirehose/*"
            ]
        }

  • CloudWatch 权限

        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:DeleteDashboards",
                "cloudwatch:GetDashboard",
                "cloudwatch:ListDashboards",
                "cloudwatch:PutDashboard",
                "cloudwatch:PutMetricData"
            ],
            "Resource": "*"
        }

  • SNS 权限

        {
            "Effect": "Allow",
            "Action": [
                "sns:CreateTopic",
                "sns:DeleteTopic",
                "sns:Subscribe",
                "sns:Unsubscribe",
                "sns:SetTopicAttributes"
            ],
            "Resource": "arn:aws:sns:*:*:*"
        }

  • DynamoDB 权限

        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateTable",
                "dynamodb:DeleteTable",
                "dynamodb:DescribeTable",
                "dynamodb:PutItem",
                "dynamodb:GetItem",
                "dynamodb:UpdateItem",
                "dynamodb:DeleteItem"
            ],
            "Resource": "arn:aws:dynamodb:*:*:table/*"
        }

  • CloudFormation 权限

        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:UpdateStack",
                "cloudformation:ListStacks"
            ],
            "Resource": "arn:aws:cloudformation:*:*:stack/*/*"
        }

  • Service Catalog 应用程序注册表权限

        {
            "Effect": "Allow",
            "Action": [
                "servicecatalog:CreateApplication",
                "servicecatalog:DeleteApplication",
                "servicecatalog:GetApplication",
                "servicecatalog:TagResource",
                "servicecatalog:CreateAttributeGroup",
                "servicecatalog:DeleteAttributeGroup",
                "servicecatalog:GetAttributeGroup",
                "servicecatalog:AssociateAttributeGroup",
                "servicecatalog:DisassociateAttributeGroup",
                "servicecatalog:AssociateResource",
                "servicecatalog:DisassociateResource"
            ],
            "Resource": "arn:aws:servicecatalog:*:*:*"
        }

  • X-Ray 权限

        {
            "Effect": "Allow",
            "Action": [
                "xray:PutTraceSegments",
                "xray:PutTelemetryRecords"
            ],
            "Resource": "*"
        }

  • IAM 权限

        {
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListRoles",
                "iam:PassRole",
                "iam:PutRolePolicy"
            ],
            "Resource": "arn:aws:iam::*:role/*"
        }

  • EventBridge 权限

        {
            "Effect": "Allow",
            "Action": [
                "events:PutTargets",
                "events:RemoveTargets",
                "events:DescribeRule",
                "events:EnableRule",
                "events:ListRules",
                "events:PutRule",
                "events:DeleteRule",
                "events:ListEventSources",
                "events:DescribeEventSource",
                "events:ActivateEventSource",
                "events:DeactivateEventSource"
            ],
            "Resource": "arn:aws:events:*:*:rule/*"
        }