CODEWITHSUNDEEP
amazon-web-servicesamazon-waf
JP Silvashy
JP Silvashy

Reputation: 48485

Allowing traffic to a certain path in AWS WAF

The way that AWS WAF works to be very unclear, at the moment, I'm trying to allow all traffic to a certain path.

Lets say everything to /admin should be allowed and not go through the xss or sql filters that I've added from the "common attacks" to my setup via their official guide: https://docs.aws.amazon.com/waf/latest/developerguide/tutorials-common-attacks.html

But the UI and docs makes it really unclear how to do this. Any help or resources would be very useful.

Upvotes: 2

Views: 8954

Answers (3)

KumoNoMae
KumoNoMae

Reputation: 31

Is /admin part of the URL? If so, can you write a simple string-match rule on URL to whitelist it?

FYI, rules are triggered based on order you put in so put the whitelist rules need to be at top.

Upvotes: 3

krishnamoorthy R
krishnamoorthy R

Reputation: 52

# waf using rate-based rule 

resource "aws_wafv2_web_acl" "example" {
    name        = "example"
    description = "Example of a regional rate based statement."
    scope       = "REGIONAL"

    default_action {
      allow {}
    }

    rule {
        name     = "LoginRateLimit"
        priority = 0

        action {
            count {}
        }

        visibility_config {
            cloudwatch_metrics_enabled = true
            metric_name                = "Metric-Limit"
            sampled_requests_enabled   = true
        }

        statement {
            rate_based_statement {
                limit              = 500
                aggregate_key_type = "IP"

                scope_down_statement {
                    byte_match_statement {
                        field_to_match {
                            uri_path {}
                        }

                        positional_constraint = "CONTAINS"
                        search_string         = "login"
                        text_transformation {
                            priority = 0
                            type     = "NONE"
                        }
                    }

                }

            }
        }
    }

    visibility_config {
        cloudwatch_metrics_enabled = true
        metric_name                = "any-name"
        sampled_requests_enabled   = true
    }
}

Upvotes: 2

Ashan
Ashan

Reputation: 19728

You can filter and add different rules to different paths using String Match Conditions.

Configure it to filter on part of the URI (URL that identifies a resource).

Upvotes: 1

Related Questions