I am new to AWS, working on AWS WAF and creating ACLs. Under this, you have to write custom conditions and rules, and associate them to a Load Balancer.
So, your incoming traffic will be handled by your ACL rules.
But if I don't want to make any conditions and rules I just make an empty rule and assign it to the ACL, So the ACL cannot handle its default condition check itself?
Microsoft Azure application gateway has built-in rules you don't have to write any condition for basic attacks, So is there any feature available in AWS WAF?
Is it mandatory to write the rules for ACL? Does an ACL not handle some basic attacks itself?
You can create empty WebACL and associate it, but it won't do anything.
AWS WAF has a built-in condition for detecting SQL injection and cross-site scripting. Creating this condition and assigning to rule takes only a minute.
String/regex match condition is also simple to use (if you are looking to block specific traffic pattern.) Just add strings and specify field you want WAF to look for.
IP match condition is self-explanatory, just block IPs that you don't want.
There are some prepackaged rules that you can buy from AWS Marketplace, but it can be costly.
Related
The Exchange API from AWS EC2 receives an array of TargetConfiguration as described in the official documentation: API_GetReservedInstancesExchangeQuote.
However, it is not clear the purpose of this due the criteria and rules to apply an exchange only makes sense for a single TargetConfiguration. There is no explicit mention of the API being able to process multiple Targets but also there is no explicit text pointing that is a invalid setting.
Can someone give an sample and the expected behavior in case multiple target is supported?
Otherwise, can someone provide a sample of an error if we try to use multiple targets?
Im using python and boto3 but this question applies for all languages.
We are moving our infrastructure to cloud formation since it's much easier to describe the infrastructure in a nice manner. This works fantastically well for things like security groups, routing, VPCs, transit gateways.
However, we have two issues which we are struggling with and I don't think fit the declarative, infrastructure-as-code paradigm which things like terrafrom and cloud formation are.
(1) We have a business requirement where we run a scheduled batch at specific times in the day. These are very computationally intensive. To save costs, we run these on an EC2 which is brought up at that time, then torn down when the batch is finished. However, this seems to require a temporary change to the terraform/CF files, then a change back. Is there a more native way of doing this?
(2) We dynamically store and allow to be edited by clients their firewalling rules on their load balancer (ALB). This information cannot be stored in the terraform/CF files since it can be changed by clients on demand.
Is there a way of properly doing these things in CF/Terraform?
(1) If you have to use EC2, you could create a Lambda that would start your EC2 instances. Then, create a CloudWatch Event that triggers the Lambda at your specified date / time. For more details you can see https://aws.amazon.com/premiumsupport/knowledge-center/start-stop-lambda-cloudwatch/. Once the job is done, have your EC2 shut itself down using the awssdk or awscli.
Alternatively, you could use AWS Lambda to run your batch job. You only get charged when the Lambda runs. Likewise, create a CloudWatch Event rule that schedules the Lambda.
(2) You could store the firewall rules in your own DB and modify the actual ALB SG rules using the awssdk. I don't think it's a good idea to store these things in Terraform/CF. IMHO Terraform/CF are great for declaring infrastructure but won't be a good solution for resources that are dynamically changing, especially by third parties like your clients.
I am learning AWS lambda and have a basic question regarding architecture with respect to managing https calls from multiple lambda functions to a single external service.
The external service will only process 3 requests per second from any IP address. Since I have multiple asynchronous lambdas I cannot be sure I will be below this threshold. I also don't know what IPs my lambdas use or even if they are the same or not.
How should this be managed?
I was thinking of using an SQS FIFO queue, but I would need to setup a bidirectional system to get the call responses back to the appropriate lambda. I think there must be a simple solution to this, but I'm just not familiar enough yet.
What would you experts suggest?
If I am understanding your question correctly then
You can create and API Endpoint by build an API Gateway with Lambda integrations(preferred Lambda proxy integration) and then use throttling option to decide the throughput this can be done in different ways aws docs account level, method level etc.
You can perform some load testing using gatling or any other tool and then generate a report for eg. which can show that even if you have say 6tps on your site you can throttle at method level and see that the external service is hit only at say 3tps.
It would depend upon your architecture how do you want to throttle I had done method level to protect the external service at 8tps.
I'm trying to use HAProxy as a dynamic proxy for backend hosts based on partial /path regex match. The use case is routing from an HTTPS frontend to a large number of nodes that come and go frequently, without maintaining an explicit mapping of /path to server hostnames.
Specifically in this case the nodes are members of an Amazon EMR cluster, and I'd like to reverse-proxy/rewrite HTTP requests like:
<haproxy>/emr/ip-99-88-77-66:4040 -> 99.88.77.66:4040
<haproxy>/emr/ip-55-44-33-22/ganglia -> 55.44.33.22/ganglia
<haproxy>/emr/ip-11-11-11-11:8088/cluster/nodes -> 11.11.11.11:8088/cluster/nodes
...etc
dynamically.
As-in, parse the path beginning at /emr and proxy requests to an IP captured by the regex:
emr\/ip-(\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3})(.*)
Is this possible with HAProxy? I know it's probably not the right tool for the job, but if possible (even non-performant) I'd like to use the tooling we already have in place.
tl;dr basically nginx proxy_pass, but with HAProxy and plucking a backend IP from the url.
Thanks!
Yes its possible by using url filters in haproxy, see below link for more details.
https://fossies.org/linux/haproxy/doc/internals/filters.txt
Yes this can be done. I would recommend you use ACLs, as well as Roundrobin & checks, which will allow you to check to see if that instance is up before routing to it with a check. That way, the system will only route to service instances that are up and running, and will only have them preloaded for use if they are up.
In addition, this will also allow you to constantly cycle in and out instances, such as if your AWS instance costs change with any other providers you may have, and allows you to load balance with maximum cost savings in mind.
yes, this is possible.. check the official manual:
Using ACLs and fetching samples
I'm looking for a way to perform an automated and centralized firewall review tool by using the ELK stack. I believe it's a nice tool to use in order to achieve this, specifically with Kibana.
By using certain data, I would like to enrich the firewall ruleset.
The firewall rules can be exported in CSV format, the resting data can be adapted to such format.
The data will be comprised of:
Firewall rules: Source, Destination, Services, Action (drop or accept)
Inventory of all IPs: IP address(es), support groups, status of the device (dismissed or deployed)
Addressing scheme of each office: Site, belonging subnet(s)
I have imported all the data, but I have absolutely no idea on how to achieve the correlation between firewall rulesets and relative IP from the inventory and addressing from the offices. It would be nice to have a view of the firewall rule and see if it belongs to a specific site.Bear in mind that multiple firewall rules might have multiple entries (e.g. 10.0.0.0/8 -> 10.0.0.1,10.0.0.2,etc...)
The final objective to this review is to aggregate rules (whenever possible) by optimizing operability and security.
Did anybody find themselves in the same situation? If so, how did you solve it?
I'd appreciate any input you might have.
I figured it out.
Basically wrote some python scripts which correlate (offline) the information present within the CSV rules and the CSV inventory, and also within the CSV rules and CSV environments/subnets.
After all this, some manual intervention is indeed required to achieve what I'm asking.