Overview

In order to use WafCharm, it is recommended to grant full access of WAF by means of IAM and read access of S3 to WafCharm. This time we picked up the method of attaching the Managed Policy prepared on the AWS side and the necessary Custom Policy for those who don't want to grant full access permission of WAF due to security reasons.

Contents:

  1. 1. Access permissions required to use WafCharm (Managed Policy)
  2. 2. Attaching Custom Policy to AWS WAF
  3. 3. Attaching Custom Policy to S3
  4. 4. Summary

1. Access permissions required to use WafCharm (Managed Policy)

1-1. Open the service page of IAM.

 

1-2. On IAM's service page, select "Users" from the submenu bar.

 

1-3. Click on the AWS WAF user registered on WafCharm.

 

1-4. Make sure that "AWSWAFFullAccess" and "AmazonS3ReadOnlyAccess" exist in the attached policy as shown below.

 

If these two Managed Policies are attached, you can use WafCharm without any trouble.

In addition, if you want to grant S3 read permission only for specific Bucket, Prefix, you can change the following JSON according to the environment and use it as Custom Policy of S3.  ※As of January, 2019

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:List*",
                "s3:Get*"
            ],
            "Resource": [
                "arn:aws:s3:::<BucketName>",
                "arn:aws:s3:::<BucketName/folder_name>/*"
            ]
        }
    ]
}

 

 

2. Attaching Custom Policy to AWS WAF

Those who don't want to attach "AWSWAFFullAccess" Policy, please attach the following Policy to the AWS WAF user registered in WafCharm.

CreateByteMatchSet
CreateIPSet
CreateRule
CreateRateBasedRule
CreateRegexMatchSet
CreateRegexPatternSet
CreateSizeConstraintSet
CreateSqlInjectionMatchSet
CreateXssMatchSet
DeleteByteMatchSet
DeleteIPSet
DeleteRule
DeleteRateBasedRule
DeleteRegexMatchSet
DeleteRegexPatternSet
DeleteSizeConstraintSet
DeleteSqlInjectionMatchSet
DeleteXssMatchSet
GetByteMatchSet
GetChangeToken
GetChangeTokenStatus
GetIPSet
GetRule
GetRateBasedRule
GetRateBasedRuleManagedKeys
GetRegexMatchSet
GetRegexPatternSet
GetSampledRequests
GetSizeConstraintSet
GetSqlInjectionMatchSet
GetWebACL
GetXssMatchSet
ListByteMatchSets
ListIPSets
ListRules
ListRateBasedRules
ListRegexMatchSets
ListRegexPatternSets
ListSizeConstraintSets
ListSqlInjectionMatchSets
ListWebACLs
ListXssMatchSets
UpdateByteMatchSet
UpdateIPSet
UpdateRule
UpdateRateBasedRule
UpdateRegexMatchSet
UpdateRegexPatternSet
UpdateSizeConstraintSet
UpdateSqlInjectionMatchSet
UpdateWebACL
UpdateXssMatchSet

※As of January, 2019

As you can see, even in Custom Policy, most policies are required.

 

 

3. Attaching Custom Policy to S3

Those who don't want to attach "AmazonS3ReadOnlyAccess" Policy, please attach the following Policy to the S3 registered in WafCharm.

Just a few policies are needed in the Policy of S3.

GetObject
ListBucket

※As of January, 2019

 

4. Summary

This time we introduced AWS WAF & S3 access permissions required to use WafCharm.

With the addition of AWS WAF functions, we will continue to update the functions of WafCharm.

Since necessary policies may increase in the future, we recommend attaching Managed Policy.