Table of Contents

1. 1. Introduction
2. 2. Overview
3. 3. About Credential
4. 4. About WAF Config
5. 5. About WAF log integration
6. 6. Conclusion

1. Introduction

WafCharm is a service that applies rules to AWS WAF. WafCharm also offers a variety of features that become available when you integrate your WAF logs. For details on the features you can use, please refer to the help page below:
Features available by enabling WAF log integration

To use WafCharm rules and the features mentioned above, you need to grant WafCharm the necessary permissions to access your AWS WAF (web ACL), S3 buckets, and other related resources.

In this blog post, we will take a look at the overall relationship between IAM permissions and WafCharm-side resources, as well as how different configuration settings affect that relationship.

2. Overview

As described above, WafCharm provides a mechanism for applying rules to AWS WAF (web ACL), and when WAF log integration is enabled, it also retrieves WAF logs. To use these features, you must prepare AWS resources such as AWS WAF, S3 buckets, and IAM permissions, and then provide that information to WafCharm.

In short, the following resources are required in your AWS environment:

• IAM permissions: As noted earlier, WafCharm needs access to your web ACL to function. This resource is used to grant that access. You assign the required permissions to an IAM user or IAM role.
• AWS WAF (web ACL): The web ACL where WafCharm applies its rules.
• S3 bucket: The S3 bucket used by AWS WAF to output WAF logs.

Within WafCharm, you will need to create and configure the following resources:

• Credential: A resource where you register the IAM permission information mentioned above. Conceptually, this tells WafCharm, “When operating, use this IAM user or role.”
• WAF Config: A resource where you register information related to the AWS WAF (web ACL). Conceptually, this tells WafCharm, “Use WafCharm with this web ACL.” After specifying the web ACL and completing basic settings, you can adjust various configurations later through WAF Config.

The illustration below shows a simplified overall structure focusing on IAM, WAF Config, Credential, and WAF log retrieval.

The overall flow based on the diagram looks like this:
*This assumes that AWS resources, including IAM and S3 buckets, already exist.

1. Create a Credential and register the IAM permission information.
2. Configure a WAF Config and register information for the AWS WAF (web ACL).
3. Based on the information registered in WAF Config and Credential, WafCharm uses the permissions associated with the IAM user or role to apply rules to the web ACL.
4. Based on the information registered in WAF Config and Credential, WafCharm uses the permissions associated with the IAM user or role to retrieve WAF logs from the S3 bucket.

3. About Credential

Credential is a resource where you register information about the IAM user or IAM role configured in your AWS environment. For an IAM user, you register the access key and secret key. For an IAM role, you configure the trust policy and then register the ARN.
*Using an IAM role is recommended.

For details on the permissions required to use WafCharm, please refer to the help pages below:

• Required permissions for AWS WAF v2 (new plan/MP ver.)
• Required permissions for AWS WAF Classic/AWS WAF v2 (old plan)

Instructions for registering a Credential can be found in the following help pages:

• How to configure Credential Store for AWS WAF v2 (new plan/MP ver.)
• How to configure Credential Store for AWS WAF Classic/AWS WAF v2 (old plan)

You can register multiple Credentials. For example, if you have Web ACL 1 and Web ACL 2 and want to use IAM role 1 for Web ACL 1 and IAM role 2 for Web ACL 2, you would create a separate Credential for each IAM role.

The relationship between each Credential and IAM role can be summarized as follows:

IAM role 1 = Credential 1
IAM role 2 = Credential 2

However, a Credential by itself does not contain information about which web ACL the IAM role will be used for. As noted above, it only stores information such as IAM role 1 being registered as Credential 1. The association between an IAM role and a web ACL must be configured in the WAF Config.

4. About WAF Config

WAF Config is a resource where you register information related to AWS WAF (web ACL). By selecting the Credential you want to use and specifying the web ACL, you link the web ACL in AWS with the WAF Config in WafCharm.
For example, if you have Web ACL 1 and Web ACL 2, you create a separate WAF Config for each one. Because a web ACL and a WAF Config have a one-to-one relationship, the pairs would look like this:
Web ACL 1 = WAF Config 1
Web ACL 2 = WAF Config 2

WAF Config contains various mechanisms and configuration options. We will not cover all of them here, but as examples, you can do the following:

• Apply WafCharm rules: When you create a WAF Config, WafCharm automatically applies its rules to the web ACL.
• Update allowed or blocked IP addresses: This feature is used when you want to allow or block requests from specific IP addresses. By adding or removing IP addresses under the [Rule Configuration] tab within the WAF Config, the conditions of the corresponding rules in the web ACL are updated.

Among the configuration items in a WAF Config is an option to select a Credential. The Credential selected here is the one used for that WAF Config. For example, if WAF Config 1 uses Credential 1 and WAF Config 2 uses Credential 2, the relationships look like this:
Web ACL 1 = WAF Config 1 - Credential 1 = IAM role 1
Web ACL 2 = WAF Config 2 - Credential 2 = IAM role 2

When you want to add an IP address to the allowlist for Web ACL 1, you register the IP address in the allowlist of WAF Config 1. Once registered, WafCharm updates your web ACL by adding the IP address to the allowlist. At that time, because WAF Config 1 is associated with Credential 1, WafCharm uses the permissions of IAM role 1 to update Web ACL 1.

5. About WAF log integration

WAF log integration refers to the configuration that lets WafCharm retrieve the WAF logs output by the AWS WAF you are using. By enabling WAF log integration, you can use features such as viewing information about blocked requests, WAF log search, monthly reports, and WAF log alerts (detection notifications). For more information, please see the help page below:
Features available by enabling WAF log integration.

Instructions for configuring WAF log integration can be found in the following help pages:

• How to configure WAF log integration (new method) for AWS WAF v2 Advanced
• How to configure access logs/WAF log integration for AWS WAF v2 Legacy

As described in the help pages above, there are two types of WAF log integration methods:

• Old method: A method that uses Lambda to set up WAF log integration within your AWS environment. Because the configuration is built inside your AWS account, Credentials in WafCharm are not used.
• New method: A method configured through the [Log and Notification Configuration] tab in the WAF Config. Since this method operates using the information and permissions you have provided to WafCharm, it uses the information in the WAF Config and the specified Credential. For customers on the old plan, enabling this method requires assistance from WafCharm Support. Please refer to the help page above for details.

As noted above, the old method does not use the WAF Config or Credential information in WafCharm when integrating WAF logs. However, the new method does use the WAF Config and Credential information registered in WafCharm.

For the Advanced Rule policy, all you need to do is toggle WAF log integration on or off. The Credential used is the one selected in the WAF Config.

For the Legacy Rule policy, several configuration items are available. Among them is an option to select a Credential, and the Credential selected there is used to retrieve WAF logs.

In the Legacy Rule policy, you can assign different Credentials for WAF Config functions (such as rule configuration) and for WAF log integration.

For example, suppose IAM role 1-A has permissions related to the web ACL, such as AWSWAFFullAccess and CloudWatchReadOnlyAccess, and IAM role 1-B has AmazonS3ReadOnlyAccess. You register them as Credential 1-A and Credential 1-B respectively. In this case, you could select Credential 1-A for WAF Config 1, and select Credential 1-B for WAF log integration in WAF Config 1, allowing you to use different IAM roles for different purposes.

6. Conclusion

In this blog post, we explained the relationship between IAM permissions and the resources used in WafCharm, as well as the various configuration steps involved. The connections between WAF Config and web ACL, or between IAM and Credential, along with understanding where each one is used, can be a bit difficult to grasp at first.

We hope this blog post helps you manage your AWS resources, such as IAM permissions and web ACLs, and create or apply the corresponding resources in WafCharm as needed.