部署考量 - AWS WAF 的安全自動化
AWS WAF 規則Web ACL 流量記錄請求元件的超大處理多個解決方案部署部署的最低角色許可 (選用)

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

部署考量

下列各節提供實作此解決方案的限制條件和考量事項。

AWS WAF 規則

此解決方案產生的 Web ACL 旨在為 Web 應用程式提供全面的保護。解決方案提供一組 AWS 受管規則和自訂規則,您可以將這些規則新增至 Web ACL。若要包含規則,請在啟動 CloudFormation 堆疊時yes為相關參數選擇 。請參閱步驟 1。啟動 堆疊以取得參數清單。

注意

out-of-box解決方案不支援 AWS Firewall Manager。如果您想要在 Firewall Manager 中使用規則,建議您將自訂套用至其原始程式碼

Web ACL 流量記錄

如果您在美國東部 (維吉尼亞北部) 以外的 AWS 區域中建立堆疊,並將端點設定為 CloudFront,則必須將啟用 HTTP 洪水防護設定為 noyes - AWS WAF rate based rule

其他兩個選項 (yes - AWS Lambda log parseryes - Amazon Athena log parser) 需要在在所有 AWS 節點中執行的 Web ACL 上啟用 AWS WAF 日誌,而且在美國東部 (維吉尼亞北部) 以外不支援此功能。如需記錄 Web ACL 流量的詳細資訊,請參閱 AWS WAF 開發人員指南

請求元件的超大處理

AWS WAF 不支援檢查 Web 請求元件內文、標頭或 Cookie 的過大內容。當您撰寫規則陳述式來檢查其中一個請求元件類型時,您可以選擇其中一個選項,告訴 AWS WAF 如何處理這些請求:

  • yes (繼續) - 根據規則檢查條件,正常檢查請求元件。AWS WAF 會檢查大小限制內的請求元件內容。這是解決方案中使用的預設選項。

  • yes - MATCH - 將 Web 請求視為與規則陳述式相符。AWS WAF 會將規則動作套用至請求,而不根據規則的檢查條件進行評估。對於具有 Block動作的規則,這會使用過大元件封鎖請求。

  • yes - NO_MATCH - 將 Web 請求視為不符合規則陳述式,而不根據規則的檢查條件進行評估。AWS WAF 會使用 Web ACL 中的其餘規則繼續檢查 Web 請求,就像使用任何不相符的規則一樣。

如需詳細資訊,請參閱在 AWS WAF 中處理過大 Web 請求元件

多個解決方案部署

您可以在相同的帳戶和區域中多次部署解決方案。您必須為每個部署使用唯一的 CloudFormation 堆疊名稱和 Amazon S3 儲存貯體名稱。每個唯一部署都會產生額外費用,並受到每個區域每個帳戶的 AWS WAF 配額限制

部署的最低角色許可 (選用)

客戶可以手動建立具有部署所需最低許可的 IAM 角色:

  • WAF 許可

        {
            "Effect": "Allow",
            "Action": [
                "wafv2:CreateWebACL",
                "wafv2:UpdateWebACL",
                "wafv2:DeleteWebACL",
                "wafv2:GetWebACL",
                "wafv2:ListWebACLs",
                "wafv2:CreateIPSet",
                "wafv2:UpdateIPSet",
                "wafv2:DeleteIPSet",
                "wafv2:GetIPSet",
                "wafv2:AssociateWebACL",
                "wafv2:DisassociateWebACL",
                "wafv2:PutLoggingConfiguration",
                "wafv2:DeleteLoggingConfiguration",
                "wafv2:ListWebACLs",
                "wafv2:ListIPSets",
                "wafv2:ListTagsForResource"
            ],
            "Resource": [
                "arn:aws:wafv2:*:*:regional/webacl/*",
                "arn:aws:wafv2:*:*:regional/ipset/*",
                "arn:aws:wafv2:*:*:global/webacl/*",
                "arn:aws:wafv2:*:*:global/ipset/*"
            ]
        }

  • Lambda 許可

        {
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:GetFunction",
                "lambda:InvokeFunction",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration",
                "lambda:AddPermission",
                "lambda:RemovePermission"
            ],
            "Resource": "arn:aws:lambda:*:*:function:*"
        }

  • Firehose 許可

        {
            "Effect": "Allow",
            "Action": [
                "firehose:CreateDeliveryStream",
                "firehose:DeleteDeliveryStream",
                "firehose:DescribeDeliveryStream",
                "firehose:StartDeliveryStreamEncryption",
                "firehose:StopDeliveryStreamEncryption",
                "firehose:UpdateDestination"
            ],
            "Resource": "arn:aws:firehose:*:*:deliverystream/*"
        }

  • S3 許可

        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteBucketPolicy",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:GetObject",
                "s3:PutBucketAcl",
                "s3:PutBucketPolicy",
                "s3:PutBucketPublicAccessBlock",
                "s3:PutBucketVersioning",
                "s3:PutEncryptionConfiguration",
                "s3:PutObject",
                "s3:PutBucketTagging",
                "s3:PutLifecycleConfiguration",
                "s3:AbortMultipartUpload",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:PutBucketLogging",
                "s3:GetBucketLogging"
            ],
            "Resource": "arn:aws:s3:::*"
        }

  • Athena 許可

        {
            "Effect": "Allow",
            "Action": [
                "athena:CreateWorkGroup",
                "athena:DeleteWorkGroup",
                "athena:GetWorkGroup",
                "athena:UpdateWorkGroup",
                "athena:StartQueryExecution",
                "athena:GetQueryExecution",
                "athena:GetQueryResults",
                "athena:StopQueryExecution"
            ],
            "Resource": "arn:aws:athena:*:*:workgroup/WAF*"
        }

  • Glue 許可

        {
            "Effect": "Allow",
            "Action": [
                "glue:CreateDatabase",
                "glue:DeleteDatabase",
                "glue:GetDatabase",
                "glue:GetDatabases",
                "glue:UpdateDatabase",
                "glue:CreateTable",
                "glue:DeleteTable",
                "glue:GetTable",
                "glue:GetTables",
                "glue:UpdateTable"
            ],
            "Resource": [
                "arn:aws:glue:*:*:catalog",
                "arn:aws:glue:*:*:database/*",
                "arn:aws:glue:*:*:table/*/*",
                "arn:aws:glue:*:*:userDefinedFunction/*"
            ]
        }

  • CloudWatch Logs 許可

        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DeleteLogGroup",
                "logs:DeleteLogStream",
                "logs:PutRetentionPolicy",
                "logs:DescribeLogGroups"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:/aws/lambda/*",
                "arn:aws:logs:*:*:log-group:*",
                "arn:aws:logs:*:*:log-group:/aws/kinesisfirehose/*"
            ]
        }

  • CloudWatch 許可

        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:DeleteDashboards",
                "cloudwatch:GetDashboard",
                "cloudwatch:ListDashboards",
                "cloudwatch:PutDashboard",
                "cloudwatch:PutMetricData"
            ],
            "Resource": "*"
        }

  • SNS 許可

        {
            "Effect": "Allow",
            "Action": [
                "sns:CreateTopic",
                "sns:DeleteTopic",
                "sns:Subscribe",
                "sns:Unsubscribe",
                "sns:SetTopicAttributes"
            ],
            "Resource": "arn:aws:sns:*:*:*"
        }

  • DynamoDB 許可

        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateTable",
                "dynamodb:DeleteTable",
                "dynamodb:DescribeTable",
                "dynamodb:PutItem",
                "dynamodb:GetItem",
                "dynamodb:UpdateItem",
                "dynamodb:DeleteItem"
            ],
            "Resource": "arn:aws:dynamodb:*:*:table/*"
        }

  • CloudFormation 許可

        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:UpdateStack",
                "cloudformation:ListStacks"
            ],
            "Resource": "arn:aws:cloudformation:*:*:stack/*/*"
        }

  • Service Catalog 應用程式登錄檔許可

        {
            "Effect": "Allow",
            "Action": [
                "servicecatalog:CreateApplication",
                "servicecatalog:DeleteApplication",
                "servicecatalog:GetApplication",
                "servicecatalog:TagResource",
                "servicecatalog:CreateAttributeGroup",
                "servicecatalog:DeleteAttributeGroup",
                "servicecatalog:GetAttributeGroup",
                "servicecatalog:AssociateAttributeGroup",
                "servicecatalog:DisassociateAttributeGroup",
                "servicecatalog:AssociateResource",
                "servicecatalog:DisassociateResource"
            ],
            "Resource": "arn:aws:servicecatalog:*:*:*"
        }

  • X-Ray 許可

        {
            "Effect": "Allow",
            "Action": [
                "xray:PutTraceSegments",
                "xray:PutTelemetryRecords"
            ],
            "Resource": "*"
        }

  • IAM 許可

        {
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListRoles",
                "iam:PassRole",
                "iam:PutRolePolicy"
            ],
            "Resource": "arn:aws:iam::*:role/*"
        }

  • EventBridge 許可

        {
            "Effect": "Allow",
            "Action": [
                "events:PutTargets",
                "events:RemoveTargets",
                "events:DescribeRule",
                "events:EnableRule",
                "events:ListRules",
                "events:PutRule",
                "events:DeleteRule",
                "events:ListEventSources",
                "events:DescribeEventSource",
                "events:ActivateEventSource",
                "events:DeactivateEventSource"
            ],
            "Resource": "arn:aws:events:*:*:rule/*"
        }