Expand my Community achievements bar.

SOLVED

WAF rules to implement on aem as cloud service

Avatar

Level 4

Hi All,

 

Please hep me with the WAF implementation. As this is new for me i had gone through some documentations as well. However i am looking for a general rules that i can deploy and test. As not sure what are the best practices to implement WAF i am looking for your help. If anyone has implemented please let me know that will be much helpful.

 

Regards,

Mahesh

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @smahesh 

To implement WAF rules for AEM as a Cloud Service, follow these steps:

1. Create a Web ACL

  1. Go to your cloud provider’s WAF console (e.g., AWS WAF).
  2. Create a new Web ACL.

2. Add Default Rule Groups

  1. Add managed rule groups like AWS-AWSManagedRulesCommonRuleSet for common threat protection.

3. Add Custom Rules

Rule 1: Restrict Access to Author Interface

  • Allow only specific IPs to access the author interface.
  • Example (AWS WAF):
    {
      "Name": "AllowAuthorIPs",
      "Priority": 1,
      "Action": { "Allow": {} },
      "Statement": {
        "IPSetReferenceStatement": {
          "ARN": "arn:aws:wafv2:region:account-id:ipset/ipset-id"
        }
      },
      "VisibilityConfig": {
        "SampledRequestsEnabled": true,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "AllowAuthorIPs"
      }
    }
    ​

Rule 2: SQL Injection Prevention

  • Block SQL injection attempts.
  • Example (AWS WAF):
  • {
      "Name": "SQLInjectionPrevention",
      "Priority": 2,
      "Action": { "Block": {} },
      "Statement": {
        "SqliMatchStatement": {
          "FieldToMatch": { "AllQueryArguments": {} },
          "TextTransformations": [{ "Type": "URL_DECODE", "Priority": 0 }]
        }
      },
      "VisibilityConfig": {
        "SampledRequestsEnabled": true,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "SQLInjectionPrevention"
      }
    }
    

Rule 3: XSS Prevention

  • Block XSS attacks.
  • Example (AWS WAF):

    {
      "Name": "XSSPrevention",
      "Priority": 3,
      "Action": { "Block": {} },
      "Statement": {
        "XssMatchStatement": {
          "FieldToMatch": { "AllQueryArguments": {} },
          "TextTransformations": [{ "Type": "URL_DECODE", "Priority": 0 }]
        }
      },
      "VisibilityConfig": {
        "SampledRequestsEnabled": true,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "XSSPrevention"
      }
    }
    ​

    Rule 4: Rate Limiting

    • Limit request rates to prevent DDoS.
    • Example (AWS WAF):
      {
        "Name": "RateLimit",
        "Priority": 4,
        "Action": { "Block": {} },
        "Statement": {
          "RateBasedStatement": {
            "Limit": 1000,
            "AggregateKeyType": "IP"
          }
        },
        "VisibilityConfig": {
          "SampledRequestsEnabled": true,
          "CloudWatchMetricsEnabled": true,
          "MetricName": "RateLimit"
        }
      }
      ​

    4. Deploy and Test

    1. Deploy the Web ACL to your AEM environment.
    2. Test and monitor the WAF logs to ensure proper functionality.
    3. Adjust rules as necessary based on observed traffic and security needs.

    By following these steps, you can effectively implement and test WAF rules for your AEM as a Cloud Service environment.

     

 

View solution in original post

2 Replies

Avatar

Correct answer by
Community Advisor

Hi @smahesh 

To implement WAF rules for AEM as a Cloud Service, follow these steps:

1. Create a Web ACL

  1. Go to your cloud provider’s WAF console (e.g., AWS WAF).
  2. Create a new Web ACL.

2. Add Default Rule Groups

  1. Add managed rule groups like AWS-AWSManagedRulesCommonRuleSet for common threat protection.

3. Add Custom Rules

Rule 1: Restrict Access to Author Interface

  • Allow only specific IPs to access the author interface.
  • Example (AWS WAF):
    {
      "Name": "AllowAuthorIPs",
      "Priority": 1,
      "Action": { "Allow": {} },
      "Statement": {
        "IPSetReferenceStatement": {
          "ARN": "arn:aws:wafv2:region:account-id:ipset/ipset-id"
        }
      },
      "VisibilityConfig": {
        "SampledRequestsEnabled": true,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "AllowAuthorIPs"
      }
    }
    ​

Rule 2: SQL Injection Prevention

  • Block SQL injection attempts.
  • Example (AWS WAF):
  • {
      "Name": "SQLInjectionPrevention",
      "Priority": 2,
      "Action": { "Block": {} },
      "Statement": {
        "SqliMatchStatement": {
          "FieldToMatch": { "AllQueryArguments": {} },
          "TextTransformations": [{ "Type": "URL_DECODE", "Priority": 0 }]
        }
      },
      "VisibilityConfig": {
        "SampledRequestsEnabled": true,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "SQLInjectionPrevention"
      }
    }
    

Rule 3: XSS Prevention

  • Block XSS attacks.
  • Example (AWS WAF):

    {
      "Name": "XSSPrevention",
      "Priority": 3,
      "Action": { "Block": {} },
      "Statement": {
        "XssMatchStatement": {
          "FieldToMatch": { "AllQueryArguments": {} },
          "TextTransformations": [{ "Type": "URL_DECODE", "Priority": 0 }]
        }
      },
      "VisibilityConfig": {
        "SampledRequestsEnabled": true,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "XSSPrevention"
      }
    }
    ​

    Rule 4: Rate Limiting

    • Limit request rates to prevent DDoS.
    • Example (AWS WAF):
      {
        "Name": "RateLimit",
        "Priority": 4,
        "Action": { "Block": {} },
        "Statement": {
          "RateBasedStatement": {
            "Limit": 1000,
            "AggregateKeyType": "IP"
          }
        },
        "VisibilityConfig": {
          "SampledRequestsEnabled": true,
          "CloudWatchMetricsEnabled": true,
          "MetricName": "RateLimit"
        }
      }
      ​

    4. Deploy and Test

    1. Deploy the Web ACL to your AEM environment.
    2. Test and monitor the WAF logs to ensure proper functionality.
    3. Adjust rules as necessary based on observed traffic and security needs.

    By following these steps, you can effectively implement and test WAF rules for your AEM as a Cloud Service environment.