AWS - WAF Enum

Reading time: 20 minutes

AWS - WAF Enum

AWS WAF

AWS WAF ni firewall ya programu za wavuti iliyoundwa ili kulinda programu za wavuti au APIs dhidi ya mashambulizi mbalimbali ya wavuti ambayo yanaweza kuathiri upatikanaji, usalama, au matumizi ya rasilimali zao. Inawapa watumiaji uwezo wa kudhibiti trafiki inayokuja kwa kuweka sheria za usalama ambazo hupunguza njia za kawaida za shambulio kama vile SQL injection au cross-site scripting na pia kwa kufafanua sheria za kuchuja za kawaida.

Dhana muhimu

Web ACL (Orodha ya Udhibiti wa Ufikiaji)

Web ACL ni mkusanyiko wa sheria ambazo unaweza kutumia kwa programu zako za wavuti au APIs. Unapounganisha Web ACL na rasilimali, AWS WAF inachunguza maombi yanayokuja kulingana na sheria zilizofafanuliwa katika Web ACL na kuchukua hatua zilizotajwa.

Kundi la Sheria

Kundi la Sheria ni mkusanyiko wa sheria zinazoweza kutumika tena ambazo unaweza kutumia kwa Web ACL nyingi. Makundi ya sheria husaidia kusimamia na kudumisha seti za sheria zinazofanana katika programu tofauti za wavuti au APIs.

Kila kundi la sheria lina uwezo wake, ambao husaidia kuhesabu na kudhibiti rasilimali zinazotumika kuendesha sheria zako, makundi ya sheria, na Web ACLs. Mara thamani yake inapowekwa wakati wa uundaji, haiwezekani kuibadilisha.

Sheria

Sheria inafafanua seti ya masharti ambayo AWS WAF inatumia kuchunguza maombi ya wavuti yanayokuja. Kuna aina mbili kuu za sheria:

1. Sheria ya Kawaida: Aina hii ya sheria inatumia masharti yaliyotajwa ili kuamua ikiwa ruhusa, kuzuia, au kuhesabu maombi ya wavuti.
2. Sheria ya Kiwango: Inahesabu maombi kutoka kwa anwani maalum ya IP katika kipindi cha dakika tano. Hapa, watumiaji wanafafanua kigezo, na ikiwa idadi ya maombi kutoka kwa IP inazidi kikomo hiki ndani ya dakika tano, maombi yanayofuata kutoka kwa IP hiyo yanazuia hadi kiwango cha maombi kishuke chini ya kigezo. Kigezo cha chini kwa sheria za kiwango ni maombi 2000.

Sheria Zinazosimamiwa

AWS WAF inatoa seti za sheria zilizowekwa awali, zinazodhibitiwa na AWS na wauzaji wa AWS Marketplace. Seti hizi za sheria hutoa ulinzi dhidi ya vitisho vya kawaida na zinafanyiwa sasisho mara kwa mara ili kushughulikia udhaifu mpya.

IP Set

IP Set ni orodha ya anwani za IP au anwani za IP ambazo unataka kuruhusu au kuzuia. IP sets hurahisisha mchakato wa kusimamia sheria za msingi wa IP.

Regex Pattern Set

Regex Pattern Set ina moja au zaidi ya maelezo ya kawaida (regex) ambayo yanafafanua mifumo ya kutafuta katika maombi ya wavuti. Hii ni muhimu kwa hali ngumu za mechi, kama vile kuchuja mfuatano maalum wa wahusika.

Lock Token

Lock Token inatumika kwa udhibiti wa ushirikiano wakati wa kufanya sasisho kwa rasilimali za WAF. Inahakikisha kwamba mabadiliko hayafutwi kwa bahati na watumiaji au michakato kadhaa wanaojaribu kubadilisha rasilimali hiyo hiyo kwa wakati mmoja.

API Keys

API Keys katika AWS WAF zinatumika kuthibitisha maombi kwa shughuli fulani za API. Funguo hizi zimefichwa na kusimamiwa kwa usalama ili kudhibiti ufikiaji na kuhakikisha kwamba ni watumiaji walioidhinishwa pekee wanaweza kufanya mabadiliko kwenye usanidi wa WAF.

• Mfano: Uunganisho wa CAPTCHA API.

Sera ya Ruhusa

Sera ya Ruhusa ni sera ya IAM inayofafanua ni nani anaweza kufanya vitendo kwenye rasilimali za AWS WAF. Kwa kufafanua ruhusa, unaweza kudhibiti ufikiaji wa rasilimali za WAF na kuhakikisha kwamba ni watumiaji walioidhinishwa pekee wanaweza kuunda, kusasisha, au kufuta usanidi.

Muktadha

Parameta ya muktadha katika AWS WAF inafafanua ikiwa sheria na usanidi wa WAF zinatumika kwa programu ya kikanda au usambazaji wa Amazon CloudFront.

• REGIONAL: Inatumika kwa huduma za kikanda kama vile Application Load Balancers (ALB), Amazon API Gateway REST API, AWS AppSync GraphQL API, Amazon Cognito user pool, huduma ya AWS App Runner na mfano wa AWS Verified Access. Unafafanua eneo la AWS ambapo rasilimali hizi ziko.
• CLOUDFRONT: Inatumika kwa usambazaji wa Amazon CloudFront, ambao ni wa kimataifa. Usanidi wa WAF kwa CloudFront unasimamiwa kupitia eneo la us-east-1 bila kujali mahali ambapo maudhui yanatolewa.

Vipengele muhimu

Kigezo cha Ufuatiliaji (Masharti)

Masharti yanafafanua vipengele vya maombi ya HTTP/HTTPS yanayokuja ambayo AWS WAF inafuatilia, ambayo ni pamoja na XSS, eneo la kijiografia (GEO), anwani za IP, vikwazo vya ukubwa, SQL Injection, na mifumo (mifumo ya herufi na mechi ya regex). Ni muhimu kutambua kwamba maombi yaliyopunguziliwa kwenye kiwango cha CloudFront kulingana na nchi hayatofika kwa WAF.

Kila akaunti ya AWS inaweza kuunda:

• masharti 100 kwa kila aina (isipokuwa kwa Regex, ambapo ni masharti 10 pekee yanaruhusiwa, lakini kikomo hiki kinaweza kuongezwa).
• sheria 100 na Web ACLs 50.
• Kiwango cha juu cha sheria 5 za kiwango.
• Uhamasishaji wa maombi 10,000 kwa sekunde wakati WAF inatekelezwa na balancer ya mzigo wa programu.

Hatua za Sheria

Hatua zinapewa kila sheria, ambapo chaguzi ni:

• Ruhusu: Ombi linaelekezwa kwa usambazaji wa CloudFront au Balancer ya Mzigo wa Programu inayofaa.
• Zuia: Ombi linakatishwa mara moja.
• Hesabu: Inahesabu maombi yanayokidhi masharti ya sheria. Hii ni muhimu kwa majaribio ya sheria, kuthibitisha usahihi wa sheria kabla ya kuweka kuwa Ruhusu au Zuia.
• CAPTCHA na Changamoto: Inathibitishwa kwamba ombi halitoki kwa roboti kwa kutumia puzzles za CAPTCHA na changamoto za kimya.

Ikiwa ombi halifai na sheria yoyote ndani ya Web ACL, linapitia hatua ya default (Ruhusu au Zuia). Mpangilio wa utekelezaji wa sheria, uliofafanuliwa ndani ya Web ACL, ni muhimu na kawaida unafuata mpangilio huu:

1. Ruhusu IP zilizoorodheshwa.
2. Zuia IP zilizoorodheshwa.
3. Zuia maombi yanayolingana na saini zozote mbaya.

Uunganisho wa CloudWatch

AWS WAF inajumuisha na CloudWatch kwa ufuatiliaji, ikitoa vipimo kama vile AllowedRequests, BlockedRequests, CountedRequests, na PassedRequests. Vipimo hivi vinaporipotiwa kila dakika kwa default na vinahifadhiwa kwa kipindi cha wiki mbili.

Uhesabuji

Ili kuingiliana na usambazaji wa CloudFront, lazima ueleze Eneo la US East (N. Virginia):

• CLI - Eleza Eneo la US East unapotumia muktadha wa CloudFront: --scope CLOUDFRONT --region=us-east-1.
• API na SDKs - Kwa simu zote, tumia kiunganishi cha eneo us-east-1.

Ili kuingiliana na huduma za kikanda, unapaswa kueleza eneo:

• Mfano na eneo la Ulaya (Uhispania): --scope REGIONAL --region=eu-south-2

# Web ACLs #

## Retrieve a list of web access control lists (Web ACLs) available in your AWS account
aws wafv2 list-web-acls --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## Retrieve details about the specified Web ACL
aws wafv2 get-web-acl --name <value> --id <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>

## Retrieve a list of resources associated with a specific web access control list (Web ACL)
aws wafv2 list-resources-for-web-acl --web-acl-arn <value> # Additional permissions needed depending on the protected resource type: cognito-idp:ListResourcesForWebACL, ec2:DescribeVerifiedAccessInstanceWebAclAssociations or apprunner:ListAssociatedServicesForWebAcl
## Retrieve the Web ACL associated with the specified AWS resource
aws wafv2 get-web-acl-for-resource --resource-arn <arn> # Additional permissions needed depending on the protected resource type: cognito-idp:GetWebACLForResource, ec2:GetVerifiedAccessInstanceWebAcl, wafv2:GetWebACL or apprunner:DescribeWebAclForService

# Rule groups #

## List of the rule groups available in your AWS account
aws wafv2 list-rule-groups --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## Retrieve the details of a specific rule group
aws wafv2 get-rule-group [--name <value>] [--id <value>] [--arn <value>] [--scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>]
## Retrieve the IAM policy attached to the specified rule group
aws wafv2 get-permission-policy --resource-arn <rule-group-arn> # Just the owner of the Rule Group can do this operation

# Managed rule groups (by AWS or by a third-party) #

## List the managed rule groups that are available
aws wafv2 list-available-managed-rule-groups --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## List the available versions of the specified managed rule group
aws wafv2 list-available-managed-rule-group-versions --vendor-name <value> --name <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## Retrieve high-level information about a specific managed rule group
aws wafv2 describe-managed-rule-group --vendor-name <value> --name <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--version-name <value>]
## Retrieve high-level information about all managed rule groups
aws wafv2 describe-all-managed-products --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## Retrieve high-level information about all managed rule groups from a specific vendor
aws wafv2 describe-managed-products-by-vendor --vendor-name <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>

# IP sets #

## List the IP sets that are available in your AWS account
aws wafv2 list-ip-sets --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## Retrieve the specific IP set
aws wafv2 get-ip-set --name <value> --id <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## Retrieve the keys that are currently being managed by a rate-based rule.
aws wafv2 get-rate-based-statement-managed-keys --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>\
--web-acl-name <value> --web-acl-id <value> --rule-name <value> [--rule-group-rule-name <value>]

# Regex pattern sets #

## List all the regex pattern sets that you manage
aws wafv2 list-regex-pattern-sets --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## Retrieves the specified regex pattern sets
aws wafv2 get-regex-pattern-set --name <value> --id <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>

# API Keys #

## List API keys for the specified scope
aws wafv2 list-api-keys --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## Retrieve decrypted API key
aws wafv2 get-decrypted-api-key --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> --api-key <value>

# Logs #

## List of logging configurations (storage location of the logs)
aws wafv2 list-logging-configurations --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--log-scope <value>]
## Retrieve the logging configuration settings associated with a specific web ACL
aws wafv2 get-logging-configuration --resource-arn <value> [--log-scope <CUSTOMER | SECURITY_LAKE>] [--log-type <value>]

# Miscelaneous #

## Retrieve a list of the tags associated to the specified resource
aws wafv2 list-tags-for-resource resource-arn <value>

## Retrieve a sample of web requests that match a specified rule within a WebACL during a specified time range
aws wafv2 get-sampled-requests --web-acl-arn <value> --rule-metric-name <value> --time-window <value> --max-items <1-500> --scope <value>

## Obtains the web ACL capacity unit (WCU) requirements for a specified scope and ruleset
aws wafv2 check-capacity --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> --rules <value>

## List of available releases for the AWS WAFv2 mobile SDK
aws wafv2 list-mobile-sdk-releases --platform <IOS | ANDROID>
## Retrieves information for the specified mobile SDK release
aws wafv2 get-mobile-sdk-release --platform <value> --release-version <value>

Post Exploitation / Bypass

Katika operesheni nyingi za Kufuta na Kusasisha itahitajika kutoa lock token. Token hii inatumika kwa udhibiti wa ushirikiano juu ya rasilimali, kuhakikisha kwamba mabadiliko hayakosi kwa bahati na watumiaji au michakato kadhaa wanaojaribu kusasisha rasilimali hiyo hiyo kwa wakati mmoja. Ili kupata token hii unaweza kufanya operesheni husika za list au get juu ya rasilimali maalum.

wafv2:CreateRuleGroup, wafv2:UpdateRuleGroup, wafv2:DeleteRuleGroup

Mshambuliaji angeweza kuathiri usalama wa rasilimali iliyoathiriwa kwa:

• Kuunda vikundi vya sheria ambavyo vinaweza, kwa mfano, kuzuia trafiki halali kutoka kwa anwani halali za IP, na kusababisha kukatizwa kwa huduma.
• Kusasisha vikundi vya sheria, akiwa na uwezo wa kubadilisha vitendo vyake kwa mfano kutoka Block hadi Allow.
• Kufuta vikundi vya sheria vinavyotoa hatua muhimu za usalama.

# Create Rule Group
aws wafv2 create-rule-group --name <value> --capacity <value> --visibility-config <value> \
--scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--rules <value>] [--description <value>]
# Update Rule Group
aws wafv2 update-rule-group --name <value> --id <value> --visibility-config <value> --lock-token <value>\
--scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--rules <value>] [--description <value>]
# Delete Rule Group
aws wafv2 delete-rule-group --name <value> --id <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>

Mifano ifuatayo inaonyesha kundi la sheria ambalo lingezuia trafiki halali kutoka kwa anwani maalum za IP:

aws wafv2 create-rule-group --name BlockLegitimateIPsRuleGroup --capacity 1 --visibility-config SampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=BlockLegitimateIPsRuleGroup --scope CLOUDFRONT --region us-east-1 --rules file://rule.json

Faili la rule.json litakuwa na muonekano kama huu:

[
{
"Name": "BlockLegitimateIPsRule",
"Priority": 0,
"Statement": {
"IPSetReferenceStatement": {
"ARN": "arn:aws:wafv2:us-east-1:123456789012:global/ipset/legitIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": false,
"CloudWatchMetricsEnabled": false,
"MetricName": "BlockLegitimateIPsRule"
}
}
]

Madhara Yanayoweza Kutokea: Ufikiaji usioidhinishwa, uvunjaji wa data, na mashambulizi ya DoS yanayoweza kutokea.

wafv2:CreateWebACL, wafv2:UpdateWebACL, wafv2:DeleteWebACL

Kwa ruhusa hizi, mshambuliaji angeweza:

• Kuunda Web ACL mpya, akianzisha sheria ambazo zinaruhusu trafiki mbaya kupita au kuzuia trafiki halali, hivyo kufanya WAF kuwa haina maana au kusababisha kukatizwa kwa huduma.
• Kusasisha Web ACL zilizopo, akiwa na uwezo wa kubadilisha sheria ili kuruhusu mashambulizi kama vile SQL injection au cross-site scripting, ambayo hapo awali yalikuwa yamezuiliwa, au kuharibu mtiririko wa trafiki wa kawaida kwa kuzuia maombi halali.
• Kufuta Web ACL, na kuacha rasilimali zilizoathirika zisizo na ulinzi kabisa, na kuziweka katika hatari ya mashambulizi mbalimbali ya mtandao.

# Create Web ACL
aws wafv2 create-web-acl --name <value> --default-action <value> --visibility-config <value> \
--scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--rules <value>] [--captcha-config <value>] [--description <value>]
# Update Web ACL
aws wafv2 update-web-acl --name <value> --id <value> --default-action <value> --visibility-config <value> --lock-token <value>\
--scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--rules <value>] [--captcha-config <value>] [--description <value>]
# Delete Web ACL
aws wafv2 delete-web-acl --name <value> --id <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>

Mifano ifuatayo inaonyesha jinsi ya kuboresha Web ACL ili kuzuia trafiki halali kutoka kwa seti maalum ya IP. Ikiwa IP ya asili haitalingana na yoyote ya hizo IP, hatua ya default itakuwa pia kuzuia, na kusababisha DoS.

Original Web ACL:

{
"WebACL": {
"Name": "AllowLegitimateIPsWebACL",
"Id": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
"ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/AllowLegitimateIPsWebACL/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
"DefaultAction": {
"Allow": {}
},
"Description": "",
"Rules": [
{
"Name": "AllowLegitimateIPsRule",
"Priority": 0,
"Statement": {
"IPSetReferenceStatement": {
"ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
}
},
"Action": {
"Allow": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": false,
"CloudWatchMetricsEnabled": false,
"MetricName": "AllowLegitimateIPsRule"
}
}
],
"VisibilityConfig": {
"SampledRequestsEnabled": false,
"CloudWatchMetricsEnabled": false,
"MetricName": "AllowLegitimateIPsWebACL"
},
"Capacity": 1,
"ManagedByFirewallManager": false,
"LabelNamespace": "awswaf:123456789012:webacl:AllowLegitimateIPsWebACL:"
},
"LockToken": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
}

Amri ya kusasisha Web ACL:

aws wafv2 update-web-acl --name AllowLegitimateIPsWebACL --scope REGIONAL --id 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --lock-token 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --default-action Block={} --visibility-config SampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=AllowLegitimateIPsWebACL --rules file://rule.json --region us-east-1

Faili la rule.json litakuwa na muonekano kama huu:

[
{
"Name": "BlockLegitimateIPsRule",
"Priority": 0,
"Statement": {
"IPSetReferenceStatement": {
"ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": false,
"CloudWatchMetricsEnabled": false,
"MetricName": "BlockLegitimateIPRule"
}
}
]

Madhara Yanayoweza Kutokea: Ufikiaji usioidhinishwa, uvunjaji wa data, na mashambulizi ya DoS yanayoweza kutokea.

wafv2:AssociateWebACL, wafv2:DisassociateWebACL

Ruhusa ya wafv2:AssociateWebACL ingemruhusu mshambuliaji kuunganisha web ACLs (Orodha za Udhibiti wa Ufikiaji) na rasilimali, akiwa na uwezo wa kupita udhibiti wa usalama, kuruhusu trafiki isiyoidhinishwa kufikia programu, ambayo inaweza kusababisha matumizi mabaya kama vile SQL injection au cross-site scripting (XSS). Kinyume chake, kwa ruhusa ya wafv2:DisassociateWebACL, mshambuliaji anaweza kuzima ulinzi wa usalama kwa muda, akifichua rasilimali kwa hatari bila kugundulika.

Ruhusa za ziada zitahitajika kulingana na aina ya rasilimali iliyolindwa:

• Kuunganisha
• apigateway:SetWebACL
• apprunner:AssociateWebAcl
• appsync:SetWebACL
• cognito-idp:AssociateWebACL
• ec2:AssociateVerifiedAccessInstanceWebAcl
• elasticloadbalancing:SetWebAcl
• Kutoa Unganisho
• apigateway:SetWebACL
• apprunner:DisassociateWebAcl
• appsync:SetWebACL
• cognito-idp:DisassociateWebACL
• ec2:DisassociateVerifiedAccessInstanceWebAcl
• elasticloadbalancing:SetWebAcl

# Associate
aws wafv2 associate-web-acl --web-acl-arn <value> --resource-arn <value>
# Disassociate
aws wafv2 disassociate-web-acl --resource-arn <value>

Madhara Yanayoweza Kutokea: Usalama wa rasilimali ulioathiriwa, ongezeko la hatari ya unyakuzi, na uwezekano wa usumbufu wa huduma ndani ya mazingira ya AWS yaliyolindwa na AWS WAF.

wafv2:CreateIPSet , wafv2:UpdateIPSet, wafv2:DeleteIPSet

Mshambuliaji angeweza kuunda, kusasisha na kufuta seti za IP zinazodhibitiwa na AWS WAF. Hii inaweza kuwa hatari kwani inaweza kuunda seti mpya za IP kuruhusu trafiki mbaya, kubadilisha seti za IP ili kuzuia trafiki halali, kusasisha seti za IP zilizopo ili kujumuisha anwani za IP mbaya, kuondoa anwani za IP zinazotegemewa au kufuta seti muhimu za IP ambazo zinapaswa kulinda rasilimali muhimu.

# Create IP set
aws wafv2 create-ip-set --name <value> --ip-address-version <IPV4 | IPV6> --addresses <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
# Update IP set
aws wafv2 update-ip-set --name <value> --id <value> --addresses <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
# Delete IP set
aws wafv2 delete-ip-set --name <value> --id <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>

Mfano ufuatao unaonyesha jinsi ya kuandika upya seti ya IP iliyopo kwa seti ya IP inayotakiwa:

aws wafv2 update-ip-set --name LegitimateIPv4Set --id 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --addresses 99.99.99.99/32 --lock-token 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --scope CLOUDFRONT --region us-east-1

Madhara Yanayoweza Kutokea: Ufikiaji usioidhinishwa na kuzuia trafiki halali.

wafv2:CreateRegexPatternSet , wafv2:UpdateRegexPatternSet, wafv2:DeleteRegexPatternSet

Mshambuliaji mwenye ruhusa hizi angeweza kubadilisha seti za mifumo ya kawaida ya regex inayotumiwa na AWS WAF kudhibiti na kuchuja trafiki inayokuja kulingana na mifumo maalum.

• Kuunda mifumo mipya ya regex kungemsaidia mshambuliaji kuruhusu maudhui mabaya
• K updating mifumo iliyopo, mshambuliaji angeweza kupita sheria za usalama
• Kufuta mifumo ambayo imeundwa kuzuia shughuli mbaya kunaweza kumwezesha mshambuliaji kutuma payloads mbaya na kupita hatua za usalama.

# Create regex pattern set
aws wafv2 create-regex-pattern-set --name <value> --regular-expression-list <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--description <value>]
# Update regex pattern set
aws wafv2 update-regex-pattern-set --name <value> --id <value> --regular-expression-list <value> --lock-token <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
# Delete regex pattern set
aws wafv2 delete-regex-pattern-set --name <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> --id <value> --lock-token <value>

Madhara Yanayoweza Kutokea: Kupita udhibiti wa usalama, kuruhusu maudhui mabaya na kwa uwezekano kufichua data nyeti au kuharibu huduma na rasilimali zinazolindwa na AWS WAF.

(wavf2:PutLoggingConfiguration & iam:CreateServiceLinkedRole), wafv2:DeleteLoggingConfiguration

Mshambuliaji mwenye wafv2:DeleteLoggingConfiguration angeweza kuondoa usanidi wa uandishi kutoka kwa Web ACL iliyoainishwa. Baadaye, kwa ruhusa za wavf2:PutLoggingConfiguration na iam:CreateServiceLinkedRole, mshambuliaji angeweza kuunda au kubadilisha usanidi wa uandishi (baada ya kuondoa) ili kuzuia uandishi kabisa au kuelekeza kumbukumbu kwenye maeneo yasiyoidhinishwa, kama vile vikundi vya kumbukumbu vya Amazon S3, vikundi vya kumbukumbu vya Amazon CloudWatch Logs au Amazon Kinesis Data Firehose chini ya udhibiti.

Wakati wa mchakato wa uundaji, huduma huweka kiotomatiki ruhusa zinazohitajika kuruhusu kumbukumbu kuandikwa kwenye eneo lililoainishwa la uandishi:

• Amazon CloudWatch Logs: AWS WAF inaunda sera ya rasilimali kwenye kundi la kumbukumbu la CloudWatch Logs lililoainishwa. Sera hii inahakikisha kwamba AWS WAF ina ruhusa zinazohitajika kuandika kumbukumbu kwenye kundi la kumbukumbu.
• Amazon S3 Bucket: AWS WAF inaunda sera ya ndoo kwenye ndoo ya S3 iliyoainishwa. Sera hii inampa AWS WAF ruhusa zinazohitajika kupakia kumbukumbu kwenye ndoo iliyoainishwa.
• Amazon Kinesis Data Firehose: AWS WAF inaunda jukumu lililounganishwa na huduma mahsusi kwa ajili ya kuingiliana na Kinesis Data Firehose. Jukumu hili linaruhusu AWS WAF kuwasilisha kumbukumbu kwenye mtiririko wa Firehose ulioanzishwa.

# Put logging configuration
aws wafv2 put-logging-configuration --logging-configuration <value>
# Delete logging configuration
aws wafv2 delete-logging-configuration --resource-arn <value> [--log-scope <CUSTOMER | SECURITY_LAKE>] [--log-type <value>]

Madhara Yanayoweza Kutokea: Kuondoa uwazi katika matukio ya usalama, kuleta ugumu katika mchakato wa majibu ya tukio, na kuwezesha shughuli za uhalifu zisizoonekana ndani ya mazingira yaliyo na ulinzi wa AWS WAF.

wafv2:DeleteAPIKey

Mshambuliaji mwenye ruhusa hii angeweza kufuta funguo za API zilizopo, na kufanya CAPTCHA isifanye kazi na kuharibu kazi inayotegemea hiyo, kama vile uwasilishaji wa fomu na udhibiti wa ufikiaji. Kulingana na utekelezaji wa CAPTCHA hii, hii inaweza kusababisha ama kupita CAPTCHA au DoS ikiwa usimamizi wa makosa haujawekwa vizuri katika rasilimali.

# Delete API key
aws wafv2 delete-api-key --api-key <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>

Madhara Yanayoweza Kutokea: Kuondoa ulinzi wa CAPTCHA au kuharibu utendaji wa programu, na kusababisha uvunjaji wa usalama na wizi wa data unaoweza kutokea.

wafv2:TagResource, wafv2:UntagResource

Mshambuliaji angeweza kuongeza, kubadilisha, au kuondoa lebo kutoka kwa rasilimali za AWS WAFv2, kama vile Web ACLs, vikundi vya sheria, seti za IP, seti za mifumo ya regex, na mipangilio ya uandishi.

# Tag
aws wafv2 tag-resource --resource-arn <value> --tags <value>
# Untag
aws wafv2 untag-resource --resource-arn <value> --tag-keys <value>

Madhara Yanayoweza Kutokea: Uharibifu wa rasilimali, uvujaji wa taarifa, udanganyifu wa gharama na usumbufu wa operesheni.

Marejeleo

• https://www.citrusconsulting.com/aws-web-application-firewall-waf/#:~:text=Conditions%20allow%20you%20to%20specify,user%20via%20a%20web%20application
• https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html