Setup AWS WAF (Web Application Firewall)
-
Go to the AWS WAF service, select the Web ACLs on the left, and then "Create web ACL"
-
The first step is creating the name, and select the resource type. We'll create two ACLs, one for CloudFont with global region, one for APIGateway with Canada region. The screenshot shows the example for the APIGateway ACL
-
And then we need to set some security rules. For our starting point, we'll select the following rules from the AWS managed rule groups:
- Amazon IP reputation list (AWS-AWSManagedRulesAmazonIpReputationList)
- Core rule set (AWS-AWSManagedRulesCommonRuleSet)
- Known bad inputs (AWS-AWSManagedRulesKnownBadInputsRuleSet)
- Linux operating system (AWS-AWSManagedRulesLinuxRuleSet)
- SQL database (AWS-AWSManagedRulesSQLiRuleSet)
-
Default web ACL action is "allow"
-
And then we just click next until finish create this ACL
-
Find our cloudfont distribution click "Edit" for setting
-
Choose the AWS WAF we created for cloudfont and then save changes
- Go to "Stages" and "Settings" for our current version, select the AWS WAF we created for api gateway
- We'll create a ACL WAF for Cognito with just the following three rules, cause the other two will block the access outside Canada (block our team members' access):
- Amazon IP reputation list (AWS-AWSManagedRulesAmazonIpReputationList)
- Known bad inputs (AWS-AWSManagedRulesKnownBadInputsRuleSet)
- Linux operating system (AWS-AWSManagedRulesLinuxRuleSet)
- We could add the WAF to Cognito from Cognito or just inside the WAF, the following show an example of adding WAF to Cognito from the WAF setting:
It's hard to test that for CloudFont because of the cache. We could only test the api gateway. So change the default web ACL action from "allow" to "block", and verify the api web page is no longer accessible, and the api call is not working anymore.