Skip to content

Commit b2285ef

Browse files
mglotovmglotov
authored
Wafv2 owasp top 10 (#88)
* Add terraform module to create AWS WAFv2 rule-group that cover OWASP TOP 10 security issues * Update README for aws-wafv2-top-10-owasp-rules terraform module * use waf_scope in a name * use lower function for waf_scope in name * add some notes about using waf + cloudfront
1 parent b864ba6 commit b2285ef

File tree

4 files changed

+1132
-0
lines changed

4 files changed

+1132
-0
lines changed

terraform/modules/aws-wafv2-top-10-owasp-rules/README.md

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
There are 2 implementations of AWS WAF: AWS WAF Classic and AWS WAFv2. AWS recommends using AWS WAFv2 for new installations.
2+
This terraform module creates AWS WAFv2 rule-group with rules that cover *OWASP TOP 10 security issues* (https://d0.awsstatic.com/whitepapers/Security/aws-waf-owasp.pdf).
3+
4+
For a CloudFront distribution, AWS WAF is available globally, but you must use the Region US East (N. Virginia) for all of your work. You must create your web ACL using the Region US East (N. Virginia). You must also use this Region to create any other resources that you use in your web ACL, like rule groups, IP sets, and regex pattern sets.
5+
6+
Example of using this module:
7+
```bash
8+
module "wafv2_owasp_top_10_rules" {
9+
source = "../modules/aws-wafv2-top-10-owasp-rules"
10+
11+
name = "${var.name}-${local.env}"
12+
13+
waf_scope = "CLOUDFRONT"
14+
15+
max_expected_uri_size = "512"
16+
max_expected_query_string_size = "1024"
17+
max_expected_body_size = "4096"
18+
max_expected_cookie_size = "4093"
19+
20+
csrf_expected_header = "x-csrf-token"
21+
csrf_expected_size = "36"
22+
23+
cloudwatch_metrics_enabled = true
24+
blacklisted_cidrs = ["10.0.0.0/8", "192.168.0.0/16", "169.254.0.0/16", "172.16.0.0/16", "127.0.0.1/32"]
25+
}
26+
27+
resource "aws_wafv2_web_acl" "example" {
28+
name = "${var.name}-${local.env}-webacl"
29+
scope = "CLOUDFRONT"
30+
31+
default_action {
32+
allow {}
33+
}
34+
35+
rule {
36+
name = "owasp_top10_rules"
37+
priority = 1
38+
39+
override_action {
40+
none {}
41+
}
42+
43+
statement {
44+
rule_group_reference_statement {
45+
arn = module.wafv2_owasp_top_10_rules.rule_group_arn
46+
}
47+
}
48+
49+
visibility_config {
50+
cloudwatch_metrics_enabled = true
51+
metric_name = "owasp-top10-security-issues"
52+
sampled_requests_enabled = true
53+
}
54+
}
55+
56+
visibility_config {
57+
cloudwatch_metrics_enabled = true
58+
metric_name = "${var.name}-${local.env}-webacl"
59+
sampled_requests_enabled = false
60+
}
61+
}
62+
63+
resource "aws_cloudfront_distribution" "example" {
64+
...
65+
web_acl_id = aws_wafv2_web_acl.example.arn
66+
...
67+
}
68+
```

0 commit comments

Comments
 (0)