Amazon API Gateway integration with AWS WAF

Create an Amazon API Gateway integration with AWS WAF This pattern in CDK offers a example to generate an Amazon API Gateway with a greedy proxy (“{proxy+}”) and “ANY” method from the specified path. This means it will accept by default any method and any path. The Lambda function is configured for VPC access and

Create an Amazon API Gateway integration with AWS WAF

This pattern in CDK offers a example to generate an Amazon API Gateway with a greedy proxy (“{proxy+}”) and “ANY” method from the specified path.
This means it will accept by default any method and any path. The Lambda function is configured for VPC access and returns only the path.

import { CfnWebACL, CfnWebACLAssociation } from '@aws-cdk/aws-wafv2';
import * as cdk from "@aws-cdk/core";
 
export class WafStack extends cdk.Stack {
    constructor(scope: cdk.Construct, id: string) {
        super(scope, id);
 
        // const CustomHeader = new cdk.CfnParameter(this, "CustomHeader", {
        //     type: "String",
        //     default: "x-key"
        // });
 
        //Web ACL
        const APIGatewayWebACL = new CfnWebACL(this, "APIGatewayWebACL", {
            name: "demo-api-gateway-webacl",
            description: "This is WebACL for Auth APi Gateway",
            scope: "REGIONAL",
            defaultAction: { block: {} },
            visibilityConfig: {
                metricName: "demo-APIWebACL",
                cloudWatchMetricsEnabled: true,
                sampledRequestsEnabled: true
            },
            rules: [

                {
                    name: "demo-rateLimitRule",
                    priority: 20,
                    action: { block: {} },
                    visibilityConfig: {
                        metricName: "demo-rateLimitRule",
                        cloudWatchMetricsEnabled: true,
                        sampledRequestsEnabled: false
                    },
                    statement: {
                        rateBasedStatement: {
                            aggregateKeyType: "IP",
                            limit: 100
                        }
                    }
                },
                {
                    name: `demo-api-auth-gateway-geolocation-rule`,
                    priority: 30,
                    action: { allow: {} },
                    visibilityConfig: {
                        metricName: `demo-AuthAPIGeoLocationUS`,
                        cloudWatchMetricsEnabled: true,
                        sampledRequestsEnabled: false
                    },
                    statement: {
                        geoMatchStatement: {
                            countryCodes: ['US']
                        }
                    }
                },
                {
                    name: `demo-api-auth-gateway-sqli-rule`,
                    priority: 40,
                    action: { block: {} },
                    visibilityConfig: {
                        metricName: `demo-APIAuthGatewaySqliRule`,
                        cloudWatchMetricsEnabled: true,
                        sampledRequestsEnabled: false
                    },
                    statement: {
                        orStatement: {
                            statements: [{
                                sqliMatchStatement: {
                                    fieldToMatch: {
                                        allQueryArguments: {}
                                    },
                                   textTransformations: [{
                                        priority: 1,
                                        type: "URL_DECODE"
                                    },
                                    {
                                        priority: 2,
                                        type: "HTML_ENTITY_DECODE"
                                    }]
                                }
                            },
                            {
                                sqliMatchStatement: {
                                    fieldToMatch: {
                                        body: {}
                                    },
                                    textTransformations: [{
                                        priority: 1,
                                        type: "URL_DECODE"
                                    },
                                    {
                                        priority: 2,
                                        type: "HTML_ENTITY_DECODE"
                                    }]
                                }
                            },
                            {
                                sqliMatchStatement: {
                                    fieldToMatch: {
                                        uriPath: {}
                                    },
                                    textTransformations: [{
                                        priority: 1,
                                        type: "URL_DECODE"
                                    }]
                                }
                            }]
                        }
                    }
                },
                {
                    name: `demo-detect-xss`,
                    priority: 60,
                    action: { block: {} },
                    visibilityConfig: {
                        metricName: `demo-detect-xss`,
                        cloudWatchMetricsEnabled: true,
                        sampledRequestsEnabled: false
                    },
                    statement: {
                        orStatement: {
                            statements: [
                                {
                                    xssMatchStatement: {
                                        fieldToMatch: {
                                            uriPath: {}
                                        },
                                        textTransformations: [{
                                            priority: 1,
                                            type: "URL_DECODE"
                                        },
                                        {
                                            priority: 2,
                                            type: "HTML_ENTITY_DECODE"
                                        }]
                                    }
                                },
                                {
                                    xssMatchStatement: {
                                        fieldToMatch: {
                                            allQueryArguments: {}
                                        },
                                        textTransformations: [{
                                            priority: 1,
                                            type: "URL_DECODE"
                                        },
                                        {
                                            priority: 2,
                                            type: "HTML_ENTITY_DECODE"
                                        }]
                                    }
                                },
                               
                            ]
                        }
                    }
                }
            ]
        });
 
        // Web ACL Association
        // const APIGatewayWebACLAssociation = 
        new CfnWebACLAssociation(this, "APIGatewayWebACLAssociation", {
            webAclArn: APIGatewayWebACL.attrArn,
            resourceArn: cdk.Fn.join("", ["arn:aws:apigateway:us-east-1::/restapis/", cdk.Fn.importValue("demorestapiid"), "/stages/prod", ])
        });
    }
}

Amazon API Gateway integration with WAF

This pattern in CDK offers a example to generate an Amazon API Gateway with a greedy proxy (“{proxy+}”) and “ANY” method from the specified path, meaning it will accept by default any method and any path. The VPC Lambda function provided in JavaScript only returns the path.

Learn more about this pattern at Serverless Land Patterns: https://serverlessland.com/patterns/apigw-waf-cdk

Important: this application uses various AWS services and there are costs associated with these services after the Free Tier usage – please see the AWS Pricing page for details. You are responsible for any AWS costs incurred. No warranty is implied in this example.

Requirements

Deployment Instructions

  1. Create a new directory, navigate to that directory in a terminal and clone the GitHub repository:
    git clone https://github.com/aws-samples/serverless-patterns
    
  2. Change directory to the pattern directory its source code folder:
    cd apig-waf/src
    
  3. From the command line, use npm to install the development dependencies:
    npminstall
  4. To deploy from the command line use the following:
      npx cdk bootstrap aws://accountnumber/region
      npx cdk deploy --app 'ts-node .' --all
    

Testing

  • Locate WAFAPIGatewayApi.ApiUrl from output printed by cdk, this is the api endpoint to be invoked
    In a browser
```https://<api_id>.execute-api.<region>.amazonaws.com/prod```

You should see: ```Success path: "/"```

Cleanup

  1. From the command line, use the following in the source folder
    npx cdk destroy --app 'ts-node .' --all
    
  2. Confirm the removal and wait for the resource deletion to complete.

Nguồn: viblo.asia

Bài viết liên quan

WebP là gì? Hướng dẫn cách để chuyển hình ảnh jpg, png qua webp

WebP là gì? WebP là một định dạng ảnh hiện đại, được phát triển bởi Google

Điểm khác biệt giữa IPv4 và IPv6 là gì?

IPv4 và IPv6 là hai phiên bản của hệ thống địa chỉ Giao thức Internet (IP). IP l

Check nameservers của tên miền xem website trỏ đúng chưa

Tìm hiểu cách check nameservers của tên miền để xác định tên miền đó đang dùn

Mình đang dùng Google Domains để check tên miền hàng ngày

Từ khi thông báo dịch vụ Google Domains bỏ mác Beta, mình mới để ý và bắt đầ