-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authorize and implement WAF in GovCloud for cloud.gov control plane #1311
Comments
I'm starting the SCR work for this since we have some rules already in place we need to document. |
The rules are going to take a lot of hashing out as customer impact will be hard to gauge, and I don't know if one can get any insight into what the details are of the AWS-managed rulesets. |
@spgreenberg Could you review the SCR at https://docs.google.com/document/d/1roNkZwfMZhxWwY9J9GYXatHm0YyBP-e4SP3i6mpg8oE/edit# or is there another engineer more appropriate for that? I'm happy to jump on a call discuss. @eddietejeda are you OK with signing the above SCR? If we can get it over to FedRAMP this afternoon it removes the potential for another week's wait. |
@pburkholder Everything looks good except for one clarification. DDOS protection is provided by AWS Shield. Unfortunately, I don't see Shield on the Fedramp list but I believe GSA is using Shield elsewhere. |
I added DDOS as even a naive WAF will blunt some of the impact of a DDOS, which we saw ourselves with the |
I have pinged Marcus as managed rulesets don't show up in GovCloud yet despite the interface being updated to v2. I will report back as soon as I hear from him. |
I have feedback from JAB that I need to respond to. Unblocking while I do so. |
Moving to blocked today to lower WIP while I complete work before 3PAO starts secrets assessment. |
I started a new SCR but I'm stuck until we determine how we'll disentangle our customer and control plane traffic, particularly WRT to the CloudFront routing. The https://github.com/cloud-gov/private/issues/171 work needs to move forward first. |
We can start with the AWS Managed Additionally, it appears Terraform has added support for WAF v2 managed rulesets: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl. We should be able to manage this in cg-provision. I am looking at this in detail now. |
Ooooh -- terraform support opens the door to brokered support 😍
…On Mon, Dec 14, 2020 at 6:24 PM Steve Greenberg ***@***.***> wrote:
We can start with the AWS Managed Core Rule Set described as: *"Contains
rules that are generally applicable to web applications. This provides
protection against exploitation of a wide range of vulnerabilities,
including those described in OWASP publications."*
Additionally, it appears Terraform has added support for WAF v2 managed
rulesets:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl.
We should be able to manage this in cg-provision. I am looking at this in
detail now.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1311 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJHWCW7A6L635NOSR3YJRLSU2NCTANCNFSM4LBOTBJQ>
.
--
-
*Peter Burkholder | **cloud.gov <https://cloud.gov> compliance & security*
please use [email protected] for cloud.gov matters
*202-709-2028 <(202)%20209-2028> | [email protected]
<[email protected]> *
*| pronouns he-him <https://www.mypronouns.org/he-him>*
*Free/Busy Calendar
<https://calendar.google.com/calendar/[email protected]>*
|
The terraform provider requires TF v 0.13 or greater. We are currently on v0.11 and therefore are pausing on this so we can discuss options as a team. |
See: Malicious Traffic Protection doc for details.
Originally named: "Create and authorize WAF in GovCloud for API and customer apps" - renaming to: Authorize and implement WAF in GovCloud for cloud.gov control plane
We are not implementing customer WAF at the ALB level, as we can't pick rules that would free from impacting them.
Desired outcomes:
Implementation sketch
cf domains
app
ALB in COUNT mode, monitorThe text was updated successfully, but these errors were encountered: