Skip to content

Commit

Permalink
add waf watchlist for pentest IP addresses
Browse files Browse the repository at this point in the history
  • Loading branch information
kenoir committed Nov 22, 2024
1 parent 330f78b commit e574b07
Showing 1 changed file with 45 additions and 9 deletions.
54 changes: 45 additions & 9 deletions cache/modules/wc_org_cloudfront/waf.tf
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,11 @@ locals {

ip_allowlist = setunion(var.waf_ip_allowlist, local.qualys_scanner_ips)

cidr_watchlist = [
"20.49.161.16/28",
"20.77.132.128/28"
]

// This is the complete list of Bot Control rules from
// https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html
//
Expand Down Expand Up @@ -106,9 +111,30 @@ resource "aws_wafv2_web_acl" "wc_org" {
}

rule {
name = "managed-ip-blocking"
name = "ip-watchlist"
priority = 1

action {
count {}
}

statement {
ip_set_reference_statement {
arn = aws_wafv2_ip_set.watchlist.arn
}
}

visibility_config {
cloudwatch_metrics_enabled = true
sampled_requests_enabled = true
metric_name = "weco-cloudfront-acl-watchlist-${var.namespace}"
}
}

rule {
name = "managed-ip-blocking"
priority = 2

override_action {
none {}
}
Expand All @@ -130,7 +156,7 @@ resource "aws_wafv2_web_acl" "wc_org" {

rule {
name = "blanket-rate-limiting"
priority = 2
priority = 3

action {
block {}
Expand All @@ -152,7 +178,7 @@ resource "aws_wafv2_web_acl" "wc_org" {

rule {
name = "restrictive-rate-limiting"
priority = 3
priority = 4

action {
block {}
Expand Down Expand Up @@ -190,7 +216,7 @@ resource "aws_wafv2_web_acl" "wc_org" {
// See: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-crs
rule {
name = "core-rule-group"
priority = 4
priority = 5

override_action {
none {}
Expand All @@ -213,7 +239,7 @@ resource "aws_wafv2_web_acl" "wc_org" {
// See: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-use-case.html#aws-managed-rule-groups-use-case-sql-db
rule {
name = "sqli-rule-group"
priority = 5
priority = 6

override_action {
none {}
Expand All @@ -236,7 +262,7 @@ resource "aws_wafv2_web_acl" "wc_org" {
// See: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-known-bad-inputs
rule {
name = "known-bad-inputs-rule-group"
priority = 6
priority = 7

override_action {
none {}
Expand All @@ -258,7 +284,7 @@ resource "aws_wafv2_web_acl" "wc_org" {

rule {
name = "bot-control-rule-group"
priority = 7
priority = 8

// Because the Bot Control rules are quite aggressive, they block some useful bots
// such as Updown. While we could add overrides for specific bots, we don"t want to have to
Expand Down Expand Up @@ -304,7 +330,7 @@ resource "aws_wafv2_web_acl" "wc_org" {

rule {
name = "google-other-block"
priority = 8
priority = 9

action {
block {}
Expand All @@ -326,7 +352,7 @@ resource "aws_wafv2_web_acl" "wc_org" {

rule {
name = "geo-rate-limit"
priority = 9
priority = 10

action {
block {
Expand Down Expand Up @@ -391,3 +417,13 @@ resource "aws_wafv2_ip_set" "allowlist" {
# These need to be CIDR blocks rather than plain addresses
addresses = [for ip in local.ip_allowlist : "${ip}/32"]
}

resource "aws_wafv2_ip_set" "watchlist" {
name = "watchlist-${var.namespace}"
description = "IPs that we do not apply managed WAF rules to, but we want to monitor"

scope = "CLOUDFRONT"
ip_address_version = "IPV4"

addresses = local.cidr_watchlist
}

0 comments on commit e574b07

Please sign in to comment.