Waf Charm

Blog

WafCharm

WafCharm Initial Setting Manual

We will introduce the flow of initial setting of WafCharm. To initialize WafCharm, you need to check the AWS WAF / IAM policy / CloudFront (or ALB) log settings in the AWS Management Console.
* WafCharm does not support AWS AppSync.

For AWS WAF Classic, please check the AWS official information.
<a href=>"https://docs.aws.amazon.com/ja_jp/waf/latest/developerguide/classic-waf-chapter.html"

* In the article, the new one is referred to as new AWS WAF and the old one is referred to as AWS WAF Classic.

  1. When you proceed to apply for a plan contract, you will be guided to the following page, so let's start by setting Web ACL Config.

  2. Click the "+ Add" button.

  3. Enter the required information (① 〜 ⑩) and click "Save".

    ①Web ACL Name Enter the Web ACL Name.
    It does not have to be the same as the name registered on the AWS console, but we recommend the same name.
    ②Web ACL ID AWS Management Console > WAF & Shield > Go to AWS WAF > Web ACLs

    The ID enclosed in the red frame in the image below is the "Web ACL ID".

    ③Web ACL version Enter the key value of the target user who has the IAM policy “AWSWAFFullAccess”.
    Please refer to the following page when setting with a custom policy.
    Reference URL:https://www.wafcharm.com/en/blog/aws-iam-setting-for-wafcharm/
    ④Choose AWS service type (AWS WAF Classic)
    Sets the upper limit of rules that WafCharm can apply to target Web ACLs.
    e.g)
    -Rule limit: 10 → WafCharm can apply up to 10 rules to the target Web ACL. -Rule liimit: 5 → WafCharm can apply up to 5 rules to the target Web ACL, and the remaining 5 rules can apply customer-created rules.

    (new AWS WAF)
    In new AWS WAF, it has changed to a cost-based limit called WCU (WAF Capacity Unit).
    Therefore, it is not necessary to specify Rule limit. You can use the default settings.

    ⑤Choose your AWS region Select the Web ACL and the region where the resource is created.
    ※ Not compatible with AWS AppSync.
    ⑥Access key / Secret key Enter the key value of the target user who has the IAM policy “AWSWAFFullAccess”.
    Please refer to the following page when setting with a custom policy.
    Reference URL:https://www.wafcharm.com/en/blog/aws-iam-setting-for-wafcharm/
    ⑦Default AWS WAF Action You can set the action when WafCharm applies a rule to the target Web ACL.
    * The action of the rule that has already been applied cannot be changed with this setting.
    ⑧Whitelist Enter if you want to create a white list at the initial setting stage. It is also possible to make additional settings later.
    ⑨Blacklist Enter if you want to create a blacklist at the initial setting stage. It is also possible to make additional settings later.
    ⑩Originating address (AWS WAF only)
    You can set up to use the XFF header option. If your environment uses CloudFront before ALB or other similar structures, consider using the option. Refer to the “XFF header options” section of the Help page of WafCharm Dashboard.

    * For Web ACLs that have already applied their own rules in new AWS WAF, it is necessary to apply the WafCharm rules, so please leave about 1100 spaces in the WCU.
    * Since the new AWS WAF Web ACL is manually supported, the rules may not be applied immediately. (As of 2021/04/30)

    1. After performing step 3, you will be taken to the page for setting around S3. Enter the required information here as well, and click Save.
      WafCharm "Web Site Config" setting screen


    Web Site Config is a setting to register the output destination of the access log used for analysis by WafCharm. (It is not a setting to register the WAF protection target.)
    * When using with API Gateway, it is not necessary to set Web Site Config.

    ①Web ACL Config Select the target Web ACL Config.
    * Those who have created Web ACL Config for the first time have already been selected.
    ②FQDN Enter the FQDN of the target web application.
    * If the input contents of the following procedure (③ S3 Path) are the same, register one FQDN as a representative in Web Site Conifg even if there are multiple FQDNs.
    (Since WAF operates in units of resources (ALB / CloudFront etc.), there is no effect on WAF due to the difference in the registered FQDN.)
    ③S3 Path Set the path to output the access log of your resource.
    Check the log output destination of CloudFront
    AWS Management Console > CloudFront > Check Target CloudFront and click Distribution Setting > Click Edit > Check the part surrounded by the red frame below. In the case of the red frame below, the S3 Path registered in WafCharm is
    "wafcharm-lecture02.s3.amazonaws.com"

    CloudFront log output destination confirmation screen
    * Please do not output access logs of multiple CloudFront Distributions to the relevant S3 Path.
    * The real-time log function of CloudFront is not supported.

    Confirm ALB log output destination
    AWS Management Console > EC2 > Click Load Balancers at sidebar > Check target ALB > Check the bottom of the Description tab (default) in the load balancer information > Check Attributes
    Refer to the part framed by a red rectangle in the screenshot below:
    Access logs: S3 location WafCharm / alblogs
    Therefore, the S3 Path registered in WafCharm will be
    "s3://WafCharm/alblogs/AWSLogs//elasticloadbalancing/ap-northeast-1/"
    *In this case, the region is ap-northeast-1.

    ALB log output destination confirmation screen
    * API Gateway access logs are not supported.

    ④Access Key Option Enter the key value of the target user who has the IAM policy “AmazonS3ReadOnlyAccess”.
    If you are using the Marketplace version, you will need to add IAM policy "CloudWatchReadOnlyAccess" as well.
    Check the field if the Access key / Secret key is the same for AWS WAF and S3. If the Access key / Secret key is different between AWS WAF and S3, uncheck Reuse Web ACL Access Key and set the Access key / Secret key with Read permission of S3.
    Reference URL:https://www.wafcharm.com/en/blog/aws-iam-setting-for-wafcharm/

    By registering the above settings correctly, you can use WafCharm.
    There is some information that needs to be confirmed on the AWS Management Console. Please be careful.