Reputation: 5280
WAF Standard Rules: Do we really have to configure everything manually?
I am trying to configure a WAF with my Api Gateway and i am surprised AWS is not offering templates of rules (such as the owasp top 10).
For SQL injections for example, everybody use the same rules am i wrong?
Do you know a way to import the main security rules without having to configure it manually?
Upvotes: 3
Views: 654
Answers (2)
Reputation: 4421
OWASP Top 10 template is available, the rest of it you need to create.
The template is available at: https://s3.us-east-2.amazonaws.com/awswaf-owasp/owasp_10_base.yml
Upvotes: 0
Reputation: 6649
As far as I know there is a marketplace offering called Managed rules for AWS Web Application Firewall [1] which does exactly what you ask for. There are 3rd party sellers (more precisely: AWS partner companies) which offer rules for the OWASP Top 10. [2]
The offering exists since November 2017. [3]
More information about the scope of existing rules is given in a newer blog post from 2018. [4]
The corresponding implementation in the WAF service is called AWS Marketplace Rule Groups in the docs. [5]
References
[1] https://aws.amazon.com/marketplace/solutions/security/waf-managed-rules
[2] https://aws.amazon.com/marketplace/search/results?x=0&y=0&searchTerms=owasp
[3] https://aws.amazon.com/about-aws/whats-new/2017/11/ready-to-use-managed-rules-now-available-on-aws-waf/?nc1=h_ls
[4] https://aws.amazon.com/about-aws/whats-new/2018/02/new-products-for-managed-rules-on-aws-waf/?nc1=h_ls
[5] https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-rule-groups.html
Upvotes: 2
Related Questions
- How to use AWS Shield Standard properly?
- AWS WAF on custom website
- Applying WebACL to API Gateway
- Whitelisting Api-Gateway to access ALB using WAF
- Integrate AWS API Gateway and Web ACL
- Where are AWS WAF API calls documented?
- AWS WAF + EC2 Instances
- AWS API Gateway with AWS WAF
- Amazon WAF + Amazon API Gateway
- Amazon WAF setup