By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS WAFv2 - SCP to Prevent Custom Rule Deletion

1

Hi all, I'm working on an automation process that creates a WAFv2 WebACL whenever a CloudFront distribution is created, using EventBridge and Step Functions.

The automation should create a WebACL (if one doesn't already exist) with the following two rules :

  1. OnlyProxy : An IPSet rule that allows access to the CloudFront distribution only from our proxies' IP addresses.
  2. Core Rule Set : AWS-AWSManagedRulesCommonRuleSet

Enter image description here

To complete this setup, I need to create a Service Control Policy (SCP) that prevents anyone from removing the OnlyProxy rule, except for a specific team. The other managed rule group, "AWS-AWSManagedRulesCommonRuleSet", can be updated by anyone.

I've been struggling to specify the OnlyProxy rule name as a condition for the Deny action in the SCP.

Has anyone faced a similar issue or can offer some guidance? Your assistance would be greatly appreciated.

Thanks

Topics
Security, Identity, & ComplianceNetworking & Content DeliveryManagement & Governance
Tags
AWS WAFSecurity, Identity, & ComplianceNetworking & Content DeliveryNetwork SecurityService Control Policy
Language
English
profile picture
Peter Eskandar
asked 3 months ago605 views
2 Answers
1

Try WAF with tags

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "wafv2:DeleteRuleGroup",
                "wafv2:DeleteWebACL"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Protected": "True"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "wafv2:DeleteRuleGroup",
                "wafv2:DeleteWebACL"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEqualsIfExists": {
                    "aws:RequestTag/Protected": "True"
                }
            }
        }
    ]
}
profile picture
EXPERT
Oleksii Bebych
answered 3 months ago
profile picture
EXPERT
Artem
reviewed 2 months ago
profile picture
EXPERT
Adeleke Adebowale J
reviewed 3 months ago
  • Peter Eskandar
    3 months ago

    The answer isn't clear enough, If I prevent someone from deleting a Rule Group this doesn't mean that they can't modify or remove a custom rule inside the WebACL

1

I don't think you can accomplish that with an IAM policy. I believe the OnlyProxy rule could be removed, its matching criteria changed, or priority modified to move it where another rule would get evaluated before it with the UpdateRuleGroup API call, for which permissions would be checked against those specified for wafv2:UpdateRuleGroup: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html

The permissions IAM evaluates for wafv2:UpdateRuleGroup only cover "rulegroup", "ipset", and "regexpatternset" types of resources and resource tags associated with those resource types. The individual rules and their attributes are specified as an array type of parameter to the UpdateRuleGroup API, and the contents of that array aren't validated against IAM policies, including SCPs, except for the "ipset" or "regexpatternset" types of resources used in the rules.

If you're using AWS Config, you could consider building a custom Config rule that would detect unauthorised changes and alert you or trigger automatic remediation.

EXPERT
Leo K
answered 3 months ago

Relevant content