Crowdsec RuleGroup conflict with ShieldMitigation Rule

[chladic]

Hello crowdsec,

in AWS WAF in SHIELD Advanced, whenever you go to "Protected Resources" and enable for your ALB protection, it automatically creates in your WAF Rule called ShieldMitigationRuleGroup_<some-long-id>. This rule is fixed and user cant manipulate with it.

Rule get Priority Number: 10000000

Whenever I want to start aws-waf-boucer, I get this error. Looks to me like it wants to manipulate with orders but it cant.

level=fatal msg="could not initialize waf instance: failed to cleanup: error removing rule group from ACL: AccessDeniedException: User: arn:aws:iam::****:user/crowdsec_bouncer is not authorized to perform: wafv2:UpdateWebACL on resource: arn:aws:wafv2:<region>:******:regional/rulegroup/ShieldMitigationRuleGroup_434565**** because no identity-based policy allows the wafv2:UpdateWebACL action\n\tstatus code: 400, request id: *****-*****-*****"

So overall result it, AWS WAF bouncer cant be used with Shield Advanced Protection. Can you guys please have a look to this? Its kind of critical for us.

Many thanks

[blotus]

Hello,

Thanks for the report.

Unfortunately, we cannot easily replicate the issue (AWS Shield advanced is 3k/month with a 1 year commitment, which is a bit steep for debugging).

I think the issue comes from the fact that to update a WebACL, you have to replace the entire content, so we get the existing rules and append them to the new configuration (without ever trying to modify rules/rules groups that do not belong to us).
I suspect that, for some reason, the rules we get AWS do not have all fields set, and AWS considers that we are trying to change the content of the rule.
Another thing is that we do not set all fields when updating the ACL itself, only the required ones (the assumption was non-mandatory fields were not going to get update if not present, but maybe it was wrong).

[chladic]

I can try to help with this but not sure how. Basically I cant do anything with this Rule as its managed externally

[chladic]

@blotus is this the way how WAF is updated by aws bouncer ? I know aws cli is not used, but go waf package, just if logic is same.

1. aws wafv2 get-web-acl - gets current WAF in json format
2. update JSON and add there crowdsec rule
3. aws wafv2 update-web-acl - update WAF with new configuration

Im talking to AWS WAF team to figure out how to avoid this conflict with Shield Rules.

[chladic]

@blotus confirmed from AWS:
Whenever Shield protection is enabled, is not possible to update WAF in a way aws-bouncer does it.
So options here are:

1. Change the way update is done (I guess you will not do it)
2. Add some custom pre-hook and post-hook. We could put there aws shield delete-protection <ID> and in post-hook aws shield create-protection <ID>

Do you think is possible to come up with some solution ? Thanks a lot