Overview
In order to use WafCharm, it is recommended to grant full access of WAF by means of IAM and read access of S3 to WafCharm. This time we picked up the method of attaching the Managed Policy prepared on the AWS side and the necessary Custom Policy for those who don't want to grant full access permission of WAF due to security reasons.
Contents:
- 1. Access permissions required to use WafCharm (Managed Policy)
- 2. Attaching Custom Policy to AWS WAF
- 3. Attaching Custom Policy to S3
- 4. Summary
1. Access permissions required to use WafCharm (Managed Policy)
1-1. Open the service page of IAM.
1-2. On IAM's service page, select "Users" from the submenu bar.
1-3. Click on the AWS WAF user registered on WafCharm.
1-4. Make sure that "AWSWAFFullAccess" and "AmazonS3ReadOnlyAccess" exist in the attached policy as shown below.
If these two Managed Policies are attached, you can use WafCharm without any trouble.
In addition, if you want to grant S3 read permission only for specific Bucket, Prefix, you can change the following JSON according to the environment and use it as Custom Policy of S3. ※As of January, 2019
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::<BucketName>",
"arn:aws:s3:::<BucketName/folder_name>/*"
]
}
]
}
If you are using the Marketplace version, you need to add IAM policy "CloudWatchReadOnlyAccess" as well.
If you want to further limit the permissons, use the JSON below as Custom Policy.
*CloudWatch does not have resources to limit using the policy's resources, so use wild card (*) in the IAM policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "cloudwatch:GetMetricData",
"Resource": "*"
}
]
}
2. Attaching Custom Policy to AWS WAF
Those who don't want to attach "AWSWAFFullAccess" Policy, please attach the following Policy to the AWS WAF user registered in WafCharm.
| CreateByteMatchSet |
| CreateIPSet |
| CreateRule |
| CreateRateBasedRule |
| CreateRegexMatchSet |
| CreateRegexPatternSet |
| CreateSizeConstraintSet |
| CreateSqlInjectionMatchSet |
| CreateXssMatchSet |
| DeleteByteMatchSet |
| DeleteIPSet |
| DeleteRule |
| DeleteRateBasedRule |
| DeleteRegexMatchSet |
| DeleteRegexPatternSet |
| DeleteSizeConstraintSet |
| DeleteSqlInjectionMatchSet |
| DeleteXssMatchSet |
| GetByteMatchSet |
| GetChangeToken |
| GetChangeTokenStatus |
| GetIPSet |
| GetRule |
| GetRateBasedRule |
| GetRateBasedRuleManagedKeys |
| GetRegexMatchSet |
| GetRegexPatternSet |
| GetSampledRequests |
| GetSizeConstraintSet |
| GetSqlInjectionMatchSet |
| GetWebACL |
| GetXssMatchSet |
| ListByteMatchSets |
| ListIPSets |
| ListRules |
| ListRateBasedRules |
| ListRegexMatchSets |
| ListRegexPatternSets |
| ListSizeConstraintSets |
| ListSqlInjectionMatchSets |
| ListWebACLs |
| ListXssMatchSets |
| UpdateByteMatchSet |
| UpdateIPSet |
| UpdateRule |
| UpdateRateBasedRule |
| UpdateRegexMatchSet |
| UpdateRegexPatternSet |
| UpdateSizeConstraintSet |
| UpdateSqlInjectionMatchSet |
| UpdateWebACL |
| UpdateXssMatchSet |
※As of January, 2019
As you can see, even in Custom Policy, most policies are required.
3. Attaching Custom Policy to S3
Those who don't want to attach "AmazonS3ReadOnlyAccess" Policy, please attach the following Policy to the S3 registered in WafCharm.
Just a few policies are needed in the Policy of S3.
| GetObject |
| ListBucket |
※As of January, 2019
4. Summary
This time we introduced AWS WAF & S3 access permissions required to use WafCharm.
With the addition of AWS WAF functions, we will continue to update the functions of WafCharm.
Since necessary policies may increase in the future, we recommend attaching Managed Policy.
