Updates from 03/23/2023
This post has been revised due to the release of the new WafCharm feature Credential Store.
You can use the access key/secret key method we have been providing, but we recommend using AssumeRole.
Refer to the blog posts below for details on using AssumeRole.
- About Credential Stores
- About AssumeRole configuration and IAM policy
- How to switch to AssumeRole from access key/secret key
Overview
In order to use WafCharm, it is recommended to grant full access of WAF by means of IAM and read access of S3 to WafCharm. This time we picked up the method of attaching the Managed Policy prepared on the AWS side and the necessary Custom Policy for those who don't want to grant full access permission of WAF due to security reasons.
Contents:
- 1. Access permissions required to use WafCharm (Managed Policy)
- 2. Attaching Custom Policy to AWS WAF
- 3. Attaching Custom Policy to S3
- 4. Summary
1. Access permissions required to use WafCharm (Managed Policy)
1-1. Open the service page of IAM.
1-2. On IAM's service page, select "Users" from the submenu bar.
1-3. Click on the AWS WAF user registered on WafCharm.
1-4. Make sure that "AWSWAFFullAccess" and "AmazonS3ReadOnlyAccess" exist in the attached policy as shown below.
If these two Managed Policies are attached, you can use WafCharm without any trouble.
In addition, if you want to grant S3 read permission only for specific Bucket, Prefix, you can change the following JSON according to the environment and use it as Custom Policy of S3.
*As of March, 2023
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:List*", "s3:Get*" ], "Resource": [ "arn:aws:s3:::<BucketName>", "arn:aws:s3:::<BucketName/folder_name>/*" ] } ] }
If you are using the Marketplace version, you need to add IAM policy "CloudWatchReadOnlyAccess" as well.
If you want to further limit the permissons, use the JSON below as Custom Policy.
*CloudWatch does not have resources to limit using the policy's resources, so use wild card (*) in the IAM policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "cloudwatch:GetMetricData", "Resource": "*" } ] }
2. Attaching Custom Policy to AWS WAF
Please use AWSWAFFullAccess for AWS WAF v2 because feature releases and updates could cause insufficient permission.
If you want to use a custom policy for AWS WAF Classic, please contact WafCharm support.
*Keep in mind that the majority of the policies will be required nonetheless.
3. Attaching Custom Policy to S3
Those who don't want to attach "AmazonS3ReadOnlyAccess" Policy, please attach the following Policy to the S3 registered in WafCharm.
Just a few policies are needed in the Policy of S3.
GetObject |
ListBucket |
※As of March, 2023
4. Summary
This time we introduced AWS WAF & S3 access permissions required to use WafCharm.
With the addition of AWS WAF functions, we will continue to update the functions of WafCharm.
Since necessary policies may increase in the future, we recommend attaching Managed Policy.