Adobe Experience Manager Sites & More

smahesh · 7/18/24

Hi All,

Please hep me with the WAF implementation. As this is new for me i had gone through some documentations as well. However i am looking for a general rules that i can deploy and test. As not sure what are the best practices to implement WAF i am looking for your help. If anyone has implemented please let me know that will be much helpful.

Regards,

Mahesh

partyush · 7/19/24

Hi @smahesh

To implement WAF rules for AEM as a Cloud Service, follow these steps:

1. Create a Web ACL

Go to your cloud provider’s WAF console (e.g., AWS WAF).
Create a new Web ACL.

2. Add Default Rule Groups

Add managed rule groups like AWS-AWSManagedRulesCommonRuleSet for common threat protection.

3. Add Custom Rules

Rule 1: Restrict Access to Author Interface

Allow only specific IPs to access the author interface.

Example (AWS WAF):

{
  "Name": "AllowAuthorIPs",
  "Priority": 1,
  "Action": { "Allow": {} },
  "Statement": {
    "IPSetReferenceStatement": {
      "ARN": "arn:aws:wafv2:region:account-id:ipset/ipset-id"
    }
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "AllowAuthorIPs"
  }
}

Rule 2: SQL Injection Prevention

Block SQL injection attempts.
Example (AWS WAF):

{
  "Name": "SQLInjectionPrevention",
  "Priority": 2,
  "Action": { "Block": {} },
  "Statement": {
    "SqliMatchStatement": {
      "FieldToMatch": { "AllQueryArguments": {} },
      "TextTransformations": [{ "Type": "URL_DECODE", "Priority": 0 }]
    }
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "SQLInjectionPrevention"
  }
}

Rule 3: XSS Prevention

Block XSS attacks.

Example (AWS WAF):

{
  "Name": "XSSPrevention",
  "Priority": 3,
  "Action": { "Block": {} },
  "Statement": {
    "XssMatchStatement": {
      "FieldToMatch": { "AllQueryArguments": {} },
      "TextTransformations": [{ "Type": "URL_DECODE", "Priority": 0 }]
    }
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "XSSPrevention"
  }
}

Rule 4: Rate Limiting

Limit request rates to prevent DDoS.

Example (AWS WAF):

{
  "Name": "RateLimit",
  "Priority": 4,
  "Action": { "Block": {} },
  "Statement": {
    "RateBasedStatement": {
      "Limit": 1000,
      "AggregateKeyType": "IP"
    }
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "RateLimit"
  }
}

4. Deploy and Test

Deploy the Web ACL to your AEM environment.
Test and monitor the WAF logs to ensure proper functionality.
Adjust rules as necessary based on observed traffic and security needs.

By following these steps, you can effectively implement and test WAF rules for your AEM as a Cloud Service environment.

View solution in original post

Harwinder-singh · 7/18/24

@smahesh you can check this out to get started - https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/security/traffic-f...

partyush · 7/19/24

Hi @smahesh

To implement WAF rules for AEM as a Cloud Service, follow these steps:

1. Create a Web ACL

Go to your cloud provider’s WAF console (e.g., AWS WAF).
Create a new Web ACL.

2. Add Default Rule Groups

Add managed rule groups like AWS-AWSManagedRulesCommonRuleSet for common threat protection.

3. Add Custom Rules

Rule 1: Restrict Access to Author Interface

Allow only specific IPs to access the author interface.

Example (AWS WAF):

{
  "Name": "AllowAuthorIPs",
  "Priority": 1,
  "Action": { "Allow": {} },
  "Statement": {
    "IPSetReferenceStatement": {
      "ARN": "arn:aws:wafv2:region:account-id:ipset/ipset-id"
    }
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "AllowAuthorIPs"
  }
}

Rule 2: SQL Injection Prevention

Block SQL injection attempts.
Example (AWS WAF):

{
  "Name": "SQLInjectionPrevention",
  "Priority": 2,
  "Action": { "Block": {} },
  "Statement": {
    "SqliMatchStatement": {
      "FieldToMatch": { "AllQueryArguments": {} },
      "TextTransformations": [{ "Type": "URL_DECODE", "Priority": 0 }]
    }
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "SQLInjectionPrevention"
  }
}

Rule 3: XSS Prevention

Block XSS attacks.

Example (AWS WAF):

{
  "Name": "XSSPrevention",
  "Priority": 3,
  "Action": { "Block": {} },
  "Statement": {
    "XssMatchStatement": {
      "FieldToMatch": { "AllQueryArguments": {} },
      "TextTransformations": [{ "Type": "URL_DECODE", "Priority": 0 }]
    }
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "XSSPrevention"
  }
}

Rule 4: Rate Limiting

Limit request rates to prevent DDoS.

Example (AWS WAF):

{
  "Name": "RateLimit",
  "Priority": 4,
  "Action": { "Block": {} },
  "Statement": {
    "RateBasedStatement": {
      "Limit": 1000,
      "AggregateKeyType": "IP"
    }
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "RateLimit"
  }
}

4. Deploy and Test

Deploy the Web ACL to your AEM environment.
Test and monitor the WAF logs to ensure proper functionality.
Adjust rules as necessary based on observed traffic and security needs.

By following these steps, you can effectively implement and test WAF rules for your AEM as a Cloud Service environment.

Adobe Experience Manager Sites & More

WAF rules to implement on aem as cloud service

1. Create a Web ACL

2. Add Default Rule Groups

3. Add Custom Rules

Rule 1: Restrict Access to Author Interface

Rule 2: SQL Injection Prevention

Rule 3: XSS Prevention

Rule 4: Rate Limiting

4. Deploy and Test

1. Create a Web ACL

2. Add Default Rule Groups

3. Add Custom Rules

Rule 1: Restrict Access to Author Interface

Rule 2: SQL Injection Prevention

Rule 3: XSS Prevention

Rule 4: Rate Limiting

4. Deploy and Test

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe