Tuning Your AWS WAF Configuration in Terraform

How to Implement Bot Control, Scope-down Statements, Allow US-only traffic, and/or Whitelist Exceptions to Rules Based on Whitelisted IPs or Header Information

By: Brandon Prasnicki | Senior Cloud Architect

AWS WAF is a Web Application Firewall that helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. In this article, I describe and show the AWS WAF configuration in Terraform for a few use cases that may come in handy for your implementation.

The first is bot control. Reducing bot traffic is rather simple when using WAF in AWS.  There is a managed rule you can use and documentation on how to create exceptions to allow certain traffic. Sometimes implementing the rules with Terraform can be a little tricky; this article contains an example use case you can use to help with your implementation.

Amazon AWS describes this feature here and has documentation about the AWSManagedRulesBotControlRuleSet WAF rule here.

Here are the steps on how the solutions were implemented.

First, adding the rule was as straightforward as any other managed rule addition following the link below (The terraform is also included at the bottom of this article)

With this enabled, we can quickly see bot traffic being rejected by navigating to:

AWS WAF Bot Control

And also:

AWS WAF Overview

And scrolling to the bottom of sampled requests and selecting the ManagedRulesBotControl block metric:

AWS WAF ManagedRulesBotControl Screenshot

Some of these blocks are false positives and may require whitelisting. For this, I have an IP set that I am using for known hosts and clients.

Known hosts and clients IP
AWS WAF IP sets

I added the IPs to the IP set and used this IP set to whitelist rule for known hosts:

This whitelist IP set list was also used to whitelist IPs of non-US users to bypass the ‘Non US’ Geo Code Match Statement (DisallowNonUSTraffic seen in the Terraform below).

However, not all requests were coming from known server hosts. Some requests were coming from client machines’ Tableau Desktop applications where the IPs were not static or always known. For this, I created a scope-down statement to grab the header information and allow anything that starts with ‘Tableau Desktop’ for the user-agent.

Here is a screenshot of what this looks like in the console following this breadcrumb:

AWS WAF - Web ACLs - ManagedWAFv2 - AWSManagedRulesBotControlRuleSet

Then you can click edit in this rule set to add a ‘Not Scope-down statement’ that will appear like this:

NOT Scope-down statement

On the left you can see the blocked request with header information alongside the rule:

Blocked request with Header info

Here is the Terraform for the IP set for whitelisting:

Below is the entire Terraform for the web ACL.

Here you will see:

  1. The implementation of the out-of-the-box AWSManagedRulesKnownBadInputsRuleSet_rule, AWSManagedRulesAmazonIpReputationList and AWSManagedRulesWindowsRuleSet.
  2. The exception rule to allow any whitelisted IPs.
  3. Disallowing any non-US traffic (not already included in whitelisted IPs).
  4. The web ACL with the whitelisted IP set referenced along with the scope-down statement in the AWSManagedRulesBotControlRuleSet.
  5. The scope-down statement to allow the Tableau Desktop communication.

(Click here to download PDF of the code)

These are just a few examples that can help manage your AWS WAF configuration in Terraform. The analysis of what rules to use and how to use match statements and scope-down statements might be the hardest part.

TekStream can advise and help you implement these features and of course, assist with your implementation project or even support you in a ‘Consulting as a Service’ manner. Reach out today to see how we can help!