WAF rules to implement on aem as cloud service

Question

Hi All,

Please hep me with the WAF implementation. As this is new for me i had gone through some documentations as well. However i am looking for a general rules that i can deploy and test. As not sure what are the best practices to implement WAF i am looking for your help. If anyone has implemented please let me know that will be much helpful.

Regards,

Mahesh

partyush · Accepted Answer

Hi @smahesh

To implement WAF rules for AEM as a Cloud Service, follow these steps:

1. Create a Web ACL

Go to your cloud provider’s WAF console (e.g., AWS WAF).
Create a new Web ACL.

2. Add Default Rule Groups

Add managed rule groups like AWS-AWSManagedRulesCommonRuleSet for common threat protection.

3. Add Custom Rules

Rule 1: Restrict Access to Author Interface

Allow only specific IPs to access the author interface.
Example (AWS WAF):
{ "Name": "AllowAuthorIPs", "Priority": 1, "Action": { "Allow": {} }, "Statement": { "IPSetReferenceStatement": { "ARN": "arn:aws:wafv2:region:account-id:ipset/ipset-id" } }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "AllowAuthorIPs" } }

Rule 2: SQL Injection Prevention

Block SQL injection attempts.
Example (AWS WAF):
{ "Name": "SQLInjectionPrevention", "Priority": 2, "Action": { "Block": {} }, "Statement": { "SqliMatchStatement": { "FieldToMatch": { "AllQueryArguments": {} }, "TextTransformations": [{ "Type": "URL_DECODE", "Priority": 0 }] } }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "SQLInjectionPrevention" } }

Rule 3: XSS Prevention

Block XSS attacks.
Example (AWS WAF):

{ "Name": "XSSPrevention", "Priority": 3, "Action": { "Block": {} }, "Statement": { "XssMatchStatement": { "FieldToMatch": { "AllQueryArguments": {} }, "TextTransformations": [{ "Type": "URL_DECODE", "Priority": 0 }] } }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "XSSPrevention" } }
Rule 4: Rate Limiting
- Limit request rates to prevent DDoS.
- Example (AWS WAF):
  { "Name": "RateLimit", "Priority": 4, "Action": { "Block": {} }, "Statement": { "RateBasedStatement": { "Limit": 1000, "AggregateKeyType": "IP" } }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "RateLimit" } }
4. Deploy and Test

Deploy the Web ACL to your AEM environment.

Test and monitor the WAF logs to ensure proper functionality.

Adjust rules as necessary based on observed traffic and security needs.

By following these steps, you can effectively implement and test WAF rules for your AEM as a Cloud Service environment.

Harwinder-singh · Answer

@smahesh you can check this out to get started - https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/security/traffic-filter-and-waf-rules/overview

1. Create a Web ACL

2. Add Default Rule Groups

3. Add Custom Rules

Rule 1: Restrict Access to Author Interface

Rule 2: SQL Injection Prevention

Rule 3: XSS Prevention

Rule 4: Rate Limiting

4. Deploy and Test

1. Create a Web ACL

2. Add Default Rule Groups

3. Add Custom Rules

Rule 1: Restrict Access to Author Interface

Rule 2: SQL Injection Prevention

Rule 3: XSS Prevention

Rule 4: Rate Limiting

4. Deploy and Test

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded