I ran into a false positive the other day, so I'd share it; There is a rule AWSManagedRulesAnonymousIpList in AWS WAF v2, use of the HostingProviderIPList in it may need a little care in a particular situation.
What the problem
First, let me explain what the rules are.
| RuleName | Detail |
|---|---|
| AWSManagedRulesAnonymousIpList | Inspects for a list of IP addresses of sources known to anonymize client information, like TOR nodes, temporary proxies, and other masking services. |
| HostingProviderIPList | Inspects for a list of IP addresses from hosting and cloud providers, which are less likely to source end-user traffic. The IP list does not include AWS IP addresses. |
It is a very useful rule set that usually blocks suspicious accesses. However, the other day I decided to integrate the web service with my customer's external system, and when testing, we encountered a problem where communication could not be established and the service was blocked. As a result, we have set the rule set to "Count" and are now observing whether we should really turn off the rule set.
Workaround
I used Terraform to build the WAF, so this will be an explanation using Terraform. The change is quite simple, just add excluded_rule to the rule in the aws_wafv2_web_acl
I hope it will be of some help to anyone who is encountering the same problem.
Appendix
By the way, if you want to build a WAF using Terraform, please refer to my previous article!
Thank you for reading!
Top comments (0)