AWS WAF ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚ªãƒ¼ãƒˆãƒ¡ãƒ¼ã‚·ãƒ§ãƒ³ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³2.2.0

AWS WAF ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚ªãƒ¼ãƒˆãƒ¡ãƒ¼ã‚·ãƒ§ãƒ³ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã¨ã„ã†ç°¡å˜ã«AWS WAFã‚’å°Žå…¥ã§ãã‚‹CloudFormationãƒ†ãƒ³ãƒ—ãƒ¬ãƒ¼ãƒˆãŒã‚ã‚Šã¾ã™ãŒã€æ°—ãŒã¤ã„ãŸã‚‰ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚¢ãƒƒãƒ—ã—ã¦ã¾ã—ãŸã€‚

èª¿ã¹ã¦ã¿ã‚‹ã¨ã€ç¢ºã‹ã«æ—¥æœ¬èªžã§ã‚‚æƒ…å ±ã§ã¦ã„ã¾ã™ãã€‚
AWS WAF ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚ªãƒ¼ãƒˆãƒ¡ãƒ¼ã‚·ãƒ§ãƒ³ã‚½ãƒªãƒ¥ãƒ¼ã‚·ãƒ§ãƒ³ã«ãƒ¢ãƒ‹ã‚¿ãƒªãƒ³ã‚°ãƒ€ãƒƒã‚·ãƒ¥ãƒœãƒ¼ãƒ‰ãŒå°Žå…¥ã•ã‚Œã¾ã—ãŸ

2019å¹´1æœˆ29æ—¥ç¾åœ¨ã§ã€ãƒãƒ¼ã‚¸ãƒ§ãƒ³2.2.0ã®ç’°å¢ƒãŒä½œæˆã•ã‚Œã¾ã™ã€‚
GitHubã‚’è¦‹ã‚‹ã¨ã€ã‚„ã¯ã‚Š2018å¹´12æœˆæœ«ã«2.2.0ã«ãªã£ãŸã“ã¨ãŒç¢ºèªã§ãã¾ã™ã€‚
https://github.com/awslabs/aws-waf-security-automations

ä»¥ä¸‹ã§å¾“æ¥ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã¨ã®é•ã„ã‚’ã¿ã¦ã„ãã¾ã™ã€‚

ãƒ¢ãƒ‹ã‚¿ãƒªãƒ³ã‚°ãƒ€ãƒƒã‚·ãƒ¥ãƒœãƒ¼ãƒ‰ã®è¿½åŠ

æ—¥æœ¬èªžæƒ…å ±ã«ã‚ã‚‹é€šã‚Šãªã‚“ã§ã™ãŒã€CloudWatchã«ãƒ€ãƒƒã‚·ãƒ¥ãƒœãƒ¼ãƒ‰ãŒè¿½åŠ ã•ã‚Œã¾ã—ãŸã€‚
BlockRequestsã¨AllowedRequestsãŒç¢ºèªã§ãã¾ã™ã€‚
ï¼ˆä¸Šè¨˜ç”»åƒã¯å®Ÿéš›ã«ã¾ã ã‚¢ã‚¯ã‚»ã‚¹ãŒç„¡ã„ã®ã§ã‚«ã‚¦ãƒ³ãƒˆã•ã‚Œã¦ã„ã¾ã›ã‚“ã€‚ï¼‰

ALBç”¨ã¨CloudFrontç”¨ã®ãƒ†ãƒ³ãƒ—ãƒ¬ãƒ¼ãƒˆãŒ1ã¤ã«çµ±åˆ

ä»¥å‰ã¯CloudFrontç”¨ã¨ALBç”¨ã§CloudFormationãƒ†ãƒ³ãƒ—ãƒ¬ãƒ¼ãƒˆãŒåˆ†ã‹ã‚Œã¦ã„ãŸã®ã§ã™ãŒã€1ã¤ã«ãªã‚Šã¾ã—ãŸã€‚
ã“ã‚Œã‚’ä½¿ãˆã°OKã§ã™ã€‚
https://s3.amazonaws.com/solutions-reference/aws-waf-security-automations/latest/aws-waf-security-automations.template

ã¨ã¯ã„ãˆã€å®Ÿéš›ã«è©¦ã—ã¦ã¿ã‚‹ã¨ã€å†…éƒ¨çš„ã«ã¯CloudFormationã®ãƒã‚¹ãƒˆæ©Ÿèƒ½ã§ã€2ã¤ã®ãƒ†ãƒ³ãƒ—ãƒ¬ãƒ¼ãƒˆã‚’1ã¤ã«ã¾ã¨ã‚ã¦ã„ã‚‹ã‚ˆã†ã§ã™ã€‚

AlbStackã¨CloudFrontStackãŒã‚ã‚Šã€åˆ¥ã®ã¨ã“ã‚ã‹ã‚‰ãƒ•ã‚¡ã‚¤ãƒ«ã‚’å–ã£ã¦ãã‚‹ä»•æ§˜ã«ãªã£ã¦ã¾ã—ãŸã€‚

Resources:
  AlbStack:
    Type: 'AWS::CloudFormation::Stack'
    Condition: AlbEndpoint
    Properties:
      TemplateURL: !Join
        - '/'
        - - 'https://s3.amazonaws.com'
          - !Join ["-", [!FindInMap ["SourceCode", "General", "S3Bucket"], !Ref 'AWS::Region']]
          - !FindInMap ["SourceCode", "General", "KeyPrefix"]
          - 'aws-waf-security-automations-alb.template'
      Parameters:
        SqlInjectionProtectionParam: !Ref SqlInjectionProtectionParam
        CrossSiteScriptingProtectionParam: !Ref CrossSiteScriptingProtectionParam
        ActivateHttpFloodProtectionParam: !Ref ActivateHttpFloodProtectionParam
        ActivateScannersProbesProtectionParam: !Ref ActivateScannersProbesProtectionParam
        ActivateReputationListsProtectionParam: !Ref ActivateReputationListsProtectionParam
        ActivateBadBotProtectionParam: !Ref ActivateBadBotProtectionParam
        AccessLogBucket: !Ref AccessLogBucket
        WafApiType: 'waf-regional'
        WafArnPrefix: !Join ['', ['arn:aws:waf-regional:', !Ref 'AWS::Region',':']]
        ParentStackName: !Ref 'AWS::StackName'

  CloudFrontStack:
    Type: 'AWS::CloudFormation::Stack'
    Condition: CloudFrontEndpoint
    Properties:
      TemplateURL: !Join
        - '/'
        - - 'https://s3.amazonaws.com'
          - !Join ["-", [!FindInMap ["SourceCode", "General", "S3Bucket"], !Ref 'AWS::Region']]
          - !FindInMap ["SourceCode", "General", "KeyPrefix"]
          - 'aws-waf-security-automations-cloudfront.template'
      Parameters:
        SqlInjectionProtectionParam: !Ref SqlInjectionProtectionParam
        CrossSiteScriptingProtectionParam: !Ref CrossSiteScriptingProtectionParam
        ActivateHttpFloodProtectionParam: !Ref ActivateHttpFloodProtectionParam
        ActivateScannersProbesProtectionParam: !Ref ActivateScannersProbesProtectionParam
        ActivateReputationListsProtectionParam: !Ref ActivateReputationListsProtectionParam
        ActivateBadBotProtectionParam: !Ref ActivateBadBotProtectionParam
        AccessLogBucket: !Ref AccessLogBucket
        WafApiType: 'waf'
        WafArnPrefix: 'arn:aws:waf::'
        ParentStackName: !Ref 'AWS::StackName'

è¨å®šç”»é¢

Endpoint Type ã ã‘è¿½åŠ ã§ã™ãã€‚
CloudFrontã‹ALBãŒé¸æŠžã§ãã¾ã™ã€‚
ï¼ˆALBã‚’é¸æŠžã™ã‚Œã°API Gatewayã§ã‚‚å‹•ã‹ã›ã‚‹ã¨æ€ã„ã¾ã™ãŒã€ã¾ã è©¦ã—ã¦ã„ãªã„ã§ã™ã€‚ï¼‰

WebACLã®ä¸èº«

v2.1	v2.2.0
Whitelist Rule	Whitelist Rule
Blacklist Rule	Blacklist Rule
Http Flood Rule	Http Flood Rule
Scans Probes Rule	Scanners & Probes Rule
WAF IP Reputation Lists Rule #1	WAF IP Reputation Lists Rule
WAF IP Reputation Lists Rule #2
Bad Bot Rule	Bad Bot Rule
SQL Injection Rule	SQL Injection Rule
XSS Rule	XSS Rule

å…¨ä½“çš„ã«ãƒªã‚½ãƒ¼ã‚¹åã«ãƒ©ãƒ³ãƒ€ãƒ å€¤ãŒã¤ãã‚ˆã†ã«ãªã£ã¦ã—ã¾ã£ãŸã®ã§ã™ãŒã€ãã‚Œã‚’é™¤å¤–ã—ãŸãƒ«ãƒ¼ãƒ«åã‚’ä¸Šè¨˜ã«è¨˜è¼‰ã—ã¾ã—ãŸã€‚
v2.1ã§ã¯9ã¤ã‚ã£ãŸãƒ«ãƒ¼ãƒ«ãŒã€v2.2.0ã§ã¯8ã¤ã«ãªã‚Šã¾ã—ãŸã€‚
ä¸€ã¤ã®WebACLã«ã¯10ã®ãƒ«ãƒ¼ãƒ«ã—ã‹ã¤ã‘ã‚‰ã‚Œãªã„ã¨ã„ã†åˆ¶é™ãŒã‚ã‚‹ã®ã§ã€ãƒ¦ãƒ¼ã‚¶ãƒ¼ç‹¬è‡ªã®ãƒ«ãƒ¼ãƒ«ã‚„ãƒžãƒãƒ¼ã‚¸ãƒ¡ãƒ³ãƒˆãƒ«ãƒ¼ãƒ«ã‚’è¿½åŠ ã—ã‚„ã™ã„ã‚ˆã†ã«å°‘ã—ä½™è£•ã‚’æŒãŸã›ãŸã®ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ã€‚

ãã®ä»–ã¯åŸºæœ¬çš„ã«ã¯å¤‰ã‚ã£ã¦ã„ã¾ã›ã‚“ã§ã—ãŸã€‚
ï¼ˆã‚‚ã—ã‹ã—ãŸã‚‰Lambda Functionã®ä¸èº«ãªã©ã¯å¤‰ã‚ã£ã¦ã„ã‚‹ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ã€‚ï¼‰

ã¾ã¨ã‚

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚ªãƒ¼ãƒˆãƒ¡ãƒ¼ã‚·ãƒ§ãƒ³ ã®ãƒ†ãƒ³ãƒ—ãƒ¬ãƒ¼ãƒˆã¯ã€æ›´æ–°ã•ã‚Œãªã„ã¨æ€ã£ã¦ã„ãŸã®ã§ã™ãŒã€æ™‚ã€…æ›´æ–°ã•ã‚Œã‚‹ã‚ˆã†ã§ã™ã€‚

ãƒ¢ãƒ‹ã‚¿ãƒªãƒ³ã‚°ãƒ€ãƒƒã‚·ãƒ¥ãƒœãƒ¼ãƒ‰ã®è¿½åŠ

ALBç”¨ã¨CloudFrontç”¨ã®ãƒ†ãƒ³ãƒ—ãƒ¬ãƒ¼ãƒˆãŒ1ã¤ã«çµ±åˆ

è¨å®šç”»é¢

WebACLã®ä¸èº«

ã¾ã¨ã‚

ã€AWS re:Invent 2024ã€‘EXPOã§æ°—ã«ãªã£ãŸãƒ–ãƒ¼ã‚¹ç´¹ä»‹ã€ŒMiroã§AWSã‚¯ãƒ©ã‚¦ãƒ‰ç§»è¡Œã‚’åŠ é€Ÿã•ã›ã‚‹ã€

Amazon Connect ã®IVRéŒ²éŸ³ãƒ‡ãƒ¼ã‚¿ãŒæ‰±ã„ã‚„ã™ããªã‚Šã¾ã—ãŸ

Amazon ElastiCache for Redis OSS ã‹ã‚‰ElastiCache for Valkeyã¸ç§»è¡Œã—ã¦ã¿ãŸ(CloudFormation)

ã€AWS re:Invent 2024ã€‘ã‚·ã‚¹ãƒ†ãƒ å›žå¾©åŠ›ã¸ã®ç©æ¥µçš„ãªã‚¢ãƒ—ãƒãƒ¼ãƒã¨ã—ã¦ã®ã‚«ã‚ªã‚¹ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°

ã€ãƒã‚¿ã€‘re:Invent ã®ç¾åœ°ã§ä½¿ãˆã‚‹ã¨æ€ã£ã¦ã‚»ãƒƒã‚·ãƒ§ãƒ³å†…å®¹ã‚’éŒ²éŸ³ã—ã¦ãƒˆãƒ©ãƒ³ã‚¹ã‚¯ãƒ©ã‚¤ãƒ–ã™ã‚‹è¡“ã‚’ç”¨æ„ã—ãŸ

ãƒ¢ãƒ‹ã‚¿ãƒªãƒ³ã‚°ãƒ€ãƒƒã‚·ãƒ¥ãƒœãƒ¼ãƒ‰ã®è¿½åŠ

ALBç”¨ã¨CloudFrontç”¨ã®ãƒ†ãƒ³ãƒ—ãƒ¬ãƒ¼ãƒˆãŒ1ã¤ã«çµ±åˆ

è¨­å®šç”»é¢

WebACLã®ä¸­èº«

ã¾ã¨ã‚

ãƒ¢ãƒ‹ã‚¿ãƒªãƒ³ã‚°ãƒ€ãƒƒã‚·ãƒ¥ãƒœãƒ¼ãƒ‰ã®è¿½åŠ

ALBç”¨ã¨CloudFrontç”¨ã®ãƒ†ãƒ³ãƒ—ãƒ¬ãƒ¼ãƒˆãŒ1ã¤ã«çµ±åˆ

è¨å®šç”»é¢

WebACLã®ä¸èº«

ã¾ã¨ã‚