-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathwaf.tf
More file actions
260 lines (227 loc) · 6.15 KB
/
waf.tf
File metadata and controls
260 lines (227 loc) · 6.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
resource "aws_cloudwatch_log_group" "waf_logs" {
name = "aws-waf-logs-${var.env_name}-flex-gateway"
retention_in_days = 14
}
resource "aws_wafv2_web_acl_logging_configuration" "main" {
log_destination_configs = [aws_cloudwatch_log_group.waf_logs.arn]
resource_arn = aws_wafv2_web_acl.main.arn
logging_filter {
default_behavior = "DROP"
filter {
behavior = "KEEP"
condition {
action_condition {
action = "BLOCK"
}
}
requirement = "MEETS_ANY"
}
}
}
resource "aws_wafv2_web_acl" "main" {
name = "${var.app_name}-${var.env_name}-flex-waf"
description = "Flex gateway WAF for rate limiting, bot control, and anonymous IP CAPTCHA"
scope = "REGIONAL"
default_action {
allow {}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "flex_waf"
sampled_requests_enabled = true
}
custom_response_body {
key = "CartoRateLimitError"
content = jsonencode({
error = "Too Many Requests"
message = "You have exceeded the rate limit for /carto-legacy/"
})
content_type = "APPLICATION_JSON"
}
##########################
# 0. Atlas Carto bypass, allow a higher limit than we normally would for carto
rule {
name = "Atlas-carto-rate-limit"
priority = 4
action {
block {
# Return 429 (Too Many Requests) with the custom JSON
custom_response {
response_code = 429
custom_response_body_key = "CartoRateLimitError"
}
}
}
statement {
rate_based_statement {
limit = 200 # per 5 minutes
aggregate_key_type = "IP"
scope_down_statement {
and_statement {
# Condition 1: Header Match
statement {
byte_match_statement {
search_string = "https://atlas.phila.gov/"
field_to_match {
single_header {
name = "origin"
}
}
positional_constraint = "EXACTLY"
text_transformation {
priority = 0
type = "LOWERCASE"
}
}
}
# Condition 2: URI Path Match
statement {
byte_match_statement {
search_string = "/carto-legacy/"
field_to_match {
uri_path {}
}
positional_constraint = "STARTS_WITH"
text_transformation {
priority = 0
type = "NONE"
}
}
}
} # End of and_statement
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "FlexCartoAtlasRateLimit"
sampled_requests_enabled = true
}
}
##########################
# 1. DDoS Protection (Rate-Based)
rule {
name = "RateLimit-DDoS"
priority = 10
action {
block {}
}
statement {
rate_based_statement {
limit = 5000 # per 5 minutes
aggregate_key_type = "IP"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "FlexRateLimit"
sampled_requests_enabled = true
}
}
##########################
# 2. Anonymous IP List (VPNs, Proxies, Tor) -> CAPTCHA
rule {
name = "AWS-AnonymousIP"
priority = 20
override_action {
none {} # Required when using rule_action_overrides
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAnonymousIpList"
vendor_name = "AWS"
# Force CAPTCHA on the specific rule inside the group
rule_action_override {
name = "AnonymousIPList"
action_to_use {
captcha {}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "FlexAnonymousIP"
sampled_requests_enabled = true
}
}
##########################
# 3. Bot Control -> CAPTCHA
rule {
name = "AWS-BotControl"
priority = 30
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesBotControlRuleSet"
vendor_name = "AWS"
# Apply CAPTCHA to specific bot categories (Example: CategoryBot)
rule_action_override {
name = "CategoryBot"
action_to_use {
captcha {}
}
}
scope_down_statement {
byte_match_statement {
search_string = "/carto-legacy/"
field_to_match {
uri_path {}
}
positional_constraint = "STARTS_WITH"
text_transformation {
priority = 0
type = "NONE"
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "FlexBotControl"
sampled_requests_enabled = true
}
}
##########################
# 4. Carto rate-limit
rule {
name = "RateLimit-Carto-Aggressive"
priority = 5
action {
block {
# Return 429 (Too Many Requests) with the custom JSON
custom_response {
response_code = 429
custom_response_body_key = "CartoRateLimitError"
}
}
}
statement {
rate_based_statement {
limit = 10 # per 5 minutes
aggregate_key_type = "IP"
scope_down_statement {
byte_match_statement {
search_string = "/carto-legacy/"
positional_constraint = "STARTS_WITH"
field_to_match {
uri_path {}
}
text_transformation {
priority = 0
type = "NONE"
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "FlexCartoBotControl"
sampled_requests_enabled = true
}
}
}