By Ronnie Quan
This blog post is sequel to https://cloudjourney.medium.com/aws-cloudfront-and-waf-97d7314b07af
We will explore more from IAM permission perspective.
Our goal is to answer following questions and also validate through lab.
- What action is required to associate AWS WAF rule to CloufFront
- What action is required to associate AWS WAF rule to ALB
- What action is required for AWS firewall manager to create WAF in protected account
- What action is required for either AWS config or AWS firewall manager to automatically associate WAF rule to resources.
Lab and Validation
We will use a dedicated IAM user to do permission validation, even though in real environment you might not use IAM user, but the permission should be similar and this is simple approach for getting started quickly.
We will add baseline inline policy directly to the IAM user, use AWS CLI to perform expected task, if missing permission, we will gradually add required actions to the inline policy, until we can successfully fulfill the task.
Optionally you may validate the operation directly from AWS console, but that typically will require more actions than programmatic way, since the console drop down needs to first list associated resource, then select from drop down and submit configuration changes.
(Note: to login from AWS CLI, you may use IAM user access key, if you lost the secret, simply delete existing access key and create a new one)
In this lab, we will need to update cloudfront with following WebACL.
AWS WAF has an AssociateWebACL action, but it’s for other resource type, for CloudFront, use cloudfront action UpdateDistribution. Is there any action required on WAF resource in order to associate WAF WebACL with your cloudfornt? Let’s find out.
We start with following inline policy for IAM user Operator.
What happen if IAM user Operator updates an existing CloudFront with a WAF webacl?
aws cloudfront update-distribution --id <xyz> --if-match E12NKZ7D29PYFI --distribution-config file://D:/awssunday/update-cfdistribution.jsonAn error occurred (InvalidWebACLId) when calling the UpdateDistribution operation: Web ACL is not accessible by the requester.
Looks like missing permission, we need to access web acl itself before we can associate it with CloudFront distribution.
To get the ETag for if-match parameter, you may run get-distribution or get-distribution-config, also for every update, you need grab new ETag.
- CloudFront JSON Config file
To construct a new version config file, first run aws cloudfront get-distribution — id to get current configuration JSON, select everything from element “DistributionConfig” and save to update-cfdistribution.json, update the file with WebACL ARN.
Let’s add wafv2:GetWebACL to inline policy for IAM user Operator.
Now we are able to update cloudfront with a WAF WebACL.
C:\Users\rquan>aws cloudfront update-distribution — id <xyz> — if-match E12NKZ7D29PYFI — distribution-config file://D:/awssunday/update-cfdistribution.json
In this lab, we will need to associate a regional WAF WebACL with ALB.
Baseline Inline Policy
Use managed policy “ElasticLoadBalancingFullAccess” as baseline. Add the policy to IAM user Operator, then under this user, create target group and ALB.
ALB and WAF WebACL have to be in the same region, in our case, both are in us-east-1.
In order to associate WebACL, We will need to run aws cli wafv2 command, this is different from cloudfront, we updated cloudfront configuration for the association.
The command failed with authorization error.
C:\Users\rquan>aws wafv2 associate-web-acl --web-acl-arn arn:aws:wafv2:us-east-1:<awsaccount>:regional/webacl/wafuseast1/02fcdca2-3186-4c99-a65f-c3c2c097c995 --resource-arn arn:aws:elasticloadbalancing:us-east-1:<awsaccount>:loadbalancer/app/albwaftest/4f9b6a965e50cb47An error occurred (AccessDeniedException) when calling the AssociateWebACL operation: User: Operator is not authorized to perform: wafv2:AssociateWebACL on resource: regional/webacl/wafuseast1
Update IAM user Operator with following inline policy
Run the same AWS CLI command again.
aws wafv2 associate-web-acl --web-acl-arn arn:aws:wafv2:us-east-1:<awsaccount>:regional/webacl/wafuseast1/02fcdca2-3186-4c99-a65f-c3c2c097c995 --resource-arn arn:aws:elasticloadbalancing:us-east-1:<awsaccount>:loadbalancer/app/albwaftest/4f9b6a965e50cb47
We don’t see any error, and WAF rule is associated to the ALB.
AWS Firewall Manager
Service Linked Role
AWS firewall manager can be used to centralize WAF management, when designate firewall manager admin account, service linked role AWSServiceRoleForFMS is created by AWS in multiple accounts in the organization.
This role has managed policy FMSServiceRolePolicy attached. FMSServiceRolePolicy policy includes all required permission for the firewall manager to operate on WAF, WAF2, security group, ELB, API Gateway, AWS config, Organization, shield, vpc, resource share, network firewall and route 53 resolver, including both create, update and delete permission.
User can create a service linked role by using “CreateServiceLinkedRole” API call. But, it will have the same permissions as AWS created the service linked role by default, there is no way to modify the permissions that are associated with the service role.
Application List and Protocol List
You may create overall allowed or denied application (protocol and port)
Here is the AWS provided deny app list by default,
Create a Policy
We create WAF type security policy and assign another account as protected account.
When inspect protected account, the WAF WebACL is distributed to the protected account.
When create AWS firewall manager security policy, you select target account to protect and the account is required to enable AWS config, when enable AWS config for the account, service linked role AWSServiceRoleForConfig is created in target account.
My AWS firewall manager admin account is also in the same organization, but since I didn’t select the account in scope for protection, so I wouldn’t need to enable AWS config.
# this is protected account or target account
C:\Users\rquan>aws configservice get-status --profile protectedacct
Configuration Recorders:name: default
last status: SUCCESSDelivery Channels:name: default
last stream delivery status: NOT_APPLICABLE
last history delivery status: SUCCESS# this is for my admin account
C:\Users\rquan>aws configservice get-status --profile user1
Configuration Recorders:Delivery Channels:
Let’s check the service linked role AWSServiceRoleForConfig to see if it exists or not.
# protected account
C:\Users\rquan>aws iam get-role --role-name AWSServiceRoleForConfig --profile protectedacct
"Arn": "arn:aws:iam::<protected acct>:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
C:\Users\rquan>aws iam get-role --role-name AWSServiceRoleForConfig --profile user1An error occurred (NoSuchEntity) when calling the GetRole operation: The role with name AWSServiceRoleForConfig cannot be found.
What permission is included in serve linked role AWSServiceRoleForConfig?
The role has one attached AWS managed policy AWSConfigServiceRolePolicy, the managed policy provides get, list and describe actions on a long list of services, so pretty much it’s read permission.
AWS config tracks configuration changes, so it needs broader read permission, firewall manager actually create WebACL in protected account as indicated by cloudtrail event.
I would image in case auto remediation is turned on, AWS firewall manager will execute the remediation, given that it has all the required create, update and delete permission.
At the end, please ensure to cleanup, firewall manager is not cheap, you may revoke firewall manager admin account, it will delete corresponding security policy, including the WebACL in the protected accounts.
You may also consider to turn off AWS Config, it does not bother me, since my account is not super active, and not much resource changes, but in case you actively work on your resources, it might involve AWS config charges. To turn off, try following steps.
- Turn off Recording for that region using the console
- Delete the Rule by going to actions, delete rule
- Use the AWS CLI and delete the default recording by
aws configservice delete-configuration-recorder — configuration-recorder-name default — region <region-name>
- Delete the service linked role created for AWS Config
- Refresh the Config home page to make it appear fresh.
- If necessary delete the config bucket and its objects.