本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
默认情况下,规则组 AWSManagedRulesACFPRuleSet 执行的凭证检查通过标记请求并阻止请求来处理被泄露的凭证。有关规则组和规则行为的详细信息,请参阅 AWS WAF Fraud Control 账户创建防欺诈 (ACFP) 规则组。
要通知用户其提供的账户凭证已被泄漏,您可以执行以下操作:
-
将
SignalCredentialCompromised规则改写为 Count— 这会导致规则仅对匹配的请求进行计数和标记。 -
添加带有自定义处理的标签匹配规则-配置此规则以匹配ACFP标签并执行您的自定义处理。
以下网址ACL列表显示了前一个示例中的ACFP托管规则组,其中SignalCredentialCompromised规则操作被重写为计数。使用此配置,当此规则组评估任何使用已泄露凭证的 Web 请求时,它将标记该请求,但不会阻止该请求。
此外,网络ACL现在有一个名为的自定义响应aws-waf-credential-compromised和一个名为的新规则AccountSignupCompromisedCredentialsHandling。规则优先级是比规则组更高的数字设置,因此在 Web ACL 评估中,它在规则组之后运行。新规则将任何带有规则组已泄露凭证标签的请求进行匹配。当规则找到匹配项时,它会应用 Block 使用自定义响应正文对请求执行操作。自定义响应正文向最终用户提供其凭证已被泄露的信息,并建议应对操作。
{
"Name": "compromisedCreds",
"Id": "... ",
"ARN": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/compromisedCreds/...",
"DefaultAction": {
"Allow": {}
},
"Description": "",
"Rules": [
{
"Name": "AWS-AWSManagedRulesACFPRuleSet",
"Priority": 0,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesACFPRuleSet",
"ManagedRuleGroupConfigs": [
{
"AWSManagedRulesACFPRuleSet": {
"CreationPath": "/web/signup/submit-registration",
"RegistrationPagePath": "/web/signup/registration",
"RequestInspection": {
"PayloadType": "JSON",
"UsernameField": {
"Identifier": "/form/username"
},
"PasswordField": {
"Identifier": "/form/password"
},
"EmailField": {
"Identifier": "/form/email"
},
"PhoneNumberFields": [
{
"Identifier": "/form/country-code"
},
{
"Identifier": "/form/region-code"
},
{
"Identifier": "/form/phonenumber"
}
],
"AddressFields": [
{
"Identifier": "/form/name"
},
{
"Identifier": "/form/street-address"
},
{
"Identifier": "/form/city"
},
{
"Identifier": "/form/state"
},
{
"Identifier": "/form/zipcode"
}
]
},
"EnableRegexInPath": false
}
}
],
"RuleActionOverrides": [
{
"Name": "SignalCredentialCompromised",
"ActionToUse": {
"Count": {}
}
}
]
}
},
"OverrideAction": {
"None": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWS-AWSManagedRulesACFPRuleSet"
}
},
{
"Name": "AccountSignupCompromisedCredentialsHandling",
"Priority": 1,
"Statement": {
"LabelMatchStatement": {
"Scope": "LABEL",
"Key": "awswaf:managed:aws:acfp:signal:credential_compromised"
}
},
"Action": {
"Block": {
"CustomResponse": {
"ResponseCode": 406,
"CustomResponseBodyKey": "aws-waf-credential-compromised",
"ResponseHeaders": [
{
"Name": "aws-waf-credential-compromised",
"Value": "true"
}
]
}
}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AccountSignupCompromisedCredentialsHandling"
}
}
],
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "compromisedCreds"
},
"Capacity": 51,
"ManagedByFirewallManager": false,
"RetrofittedByFirewallManager": false,
"LabelNamespace": "awswaf:111122223333:webacl:compromisedCreds:",
"CustomResponseBodies": {
"aws-waf-credential-compromised": {
"ContentType": "APPLICATION_JSON",
"Content": "{\n \"credentials-compromised\": \"The credentials you provided have been found in a compromised credentials database.\\n\\nTry again with a different username, password pair.\"\n}"
}
}
}
