traveloka / Terraform Aws Waf Owasp Top 10 Rules
Licence: apache-2.0
A Terraform module to create AWF WAF Rules for OWASP Top 10 security risks protection.
Stars: ✭ 62
Projects that are alternatives of or similar to Terraform Aws Waf Owasp Top 10 Rules
Terraform Sqs Lambda Trigger Example
Example on how to create a AWS Lambda triggered by SQS in Terraform
Stars: ✭ 31 (-50%)
Mutual labels: aws, terraform, hcl
Terraform Aws Alb
Terraform module to provision a standard ALB for HTTP/HTTP traffic
Stars: ✭ 53 (-14.52%)
Mutual labels: aws, terraform, hcl
Terra Aws Core Kube
Terraform configuration to bootstrap a Kubernetes Cluster on top of CoreOS using AWS-EC2 instances
Stars: ✭ 10 (-83.87%)
Mutual labels: aws, terraform, hcl
Terraform Aws Dynamodb
Terraform module that implements AWS DynamoDB with support for AutoScaling
Stars: ✭ 49 (-20.97%)
Mutual labels: aws, terraform, hcl
Terraform Aws Cross Account Role
A Terraform module to create an IAM Role for Cross Account delegation.
Stars: ✭ 30 (-51.61%)
Mutual labels: aws, terraform, hcl
Karch
A Terraform module to create and maintain Kubernetes clusters on AWS easily, relying entirely on kops
Stars: ✭ 38 (-38.71%)
Mutual labels: aws, terraform, hcl
Terraform Aws Secure Baseline
Terraform module to set up your AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations and AWS Foundational Security Best Practices.
Stars: ✭ 596 (+861.29%)
Mutual labels: aws, terraform, hcl
Terraform Ecs Autoscale Alb
ECS cluster with instance and service autoscaling configured and running behind an ALB with path based routing set up
Stars: ✭ 60 (-3.23%)
Mutual labels: aws, terraform, hcl
Infra Personal
Terraform for setting up my personal infrastructure
Stars: ✭ 45 (-27.42%)
Mutual labels: aws, terraform, hcl
Cloudguardiaas
Check Point CloudGuard Network Security repository containing solution templates, Terraform templates, tools and scripts for deploying and configuring CloudGuard Network Security products.
Stars: ✭ 27 (-56.45%)
Mutual labels: aws, terraform, hcl
Terraform Aws Asg
Terraform AWS Auto Scaling Stack
Stars: ✭ 58 (-6.45%)
Mutual labels: aws, terraform, hcl
Lambda Deployment Example
Automated Lambda Deployments with Terraform & CodePipeline
Stars: ✭ 25 (-59.68%)
Mutual labels: aws, terraform, hcl
Terraform Aws Vpc Peering Multi Account
Terraform module to provision a VPC peering across multiple VPCs in different accounts by using multiple providers
Stars: ✭ 52 (-16.13%)
Mutual labels: aws, terraform, hcl
Terraform Aws Ecs Fargate
Terraform module which creates ECS Fargate resources on AWS.
Stars: ✭ 35 (-43.55%)
Mutual labels: aws, terraform, hcl
Infrastructure As Code Talk
Sample code for the talk "Infrastructure-as-code: running microservices on AWS with Docker, ECS, and Terraform"
Stars: ✭ 520 (+738.71%)
Mutual labels: aws, terraform, hcl
Intro To Terraform
Sample code for the blog post series "A Comprehensive Guide to Terraform."
Stars: ✭ 550 (+787.1%)
Mutual labels: aws, terraform, hcl
Terraform Aws Jenkins Ha Agents
A terraform module for a highly available Jenkins deployment.
Stars: ✭ 41 (-33.87%)
Mutual labels: aws, terraform, hcl
Terraform Aws Github Ci
[DEPRECATED] Serverless CI for GitHub using AWS CodeBuild with PR and status support
Stars: ✭ 49 (-20.97%)
Mutual labels: aws, terraform, hcl
terraform-aws-waf-owasp-top-10-rules
Description
OWASP Top 10 Most Critical Web Application Security Risks is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list[1]. You can read the document that they published here: [2].
This is a Terraform module which creates AWF WAF resources for protection of your resources from the OWASP Top 10 Security Risks. This module is based on the whitepaper that AWS provides. The whitepaper tells how to use AWS WAF to mitigate those attacks[3][4].
This module will only create match-sets[5], rules[6], and a rule group (optional)[7]. Those resources cannot be used without WebACL[8], which is not covered by this module.
To see the example on how to provision the resources only, check Examples section.
But to see the example on how to use this module together with WebACL to fully protect your application, see this page: [9]
References
- [1] : https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
- [2] : https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
- [3] : https://d0.awsstatic.com/whitepapers/Security/aws-waf-owasp.pdf
- [4] : https://aws.amazon.com/about-aws/whats-new/2017/07/use-aws-waf-to-mitigate-owasps-top-10-web-application-vulnerabilities/
- [5] : https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-create-condition.html
- [6] : https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-rules.html
- [7] : https://docs.aws.amazon.com/waf/latest/developerguide/working-with-rule-groups.html
- [8] : https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-working-with.html
- [9] : https://github.com/traveloka/terraform-aws-waf-webacl-supporting-resources/tree/master/examples
Prerequisites
FAQ
- Can I use only some of the rules? Yes you can. This module will outputs the rules' ID. Attach to WebACL you created only the IDs of the rules that you want.
- Can I provision only some of the rules? No you can't. If you really want to do it, the only solution is to copy-paste match-sets and rules code manually. You must aware that by doing that you will lose support from maintainer of this module.
- Can I modify some match-sets of a rule? No you can't. The same answer to answer question number 2. But if you found something need to be fixed, e.g. match-sets causing lots of false positive, please don't hesitate to create an issue or a pull request to this repository!
Examples
Related Modules
Dependencies
This Terraform module has no dependencies to other modules
Terraform Versions
Created and tested using Terraform version 0.11.14
Requirements
No requirements.
Providers
| Name | Version |
|---|---|
| aws | n/a |
| random | n/a |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| create_rule_group | All rules can be grouped into a Rule Group. Unfortunately, AWS WAF Rule Group limit per region is only 3. By setting the value to false will not create the rule group. Default to true. |
string |
"true" |
no |
| csrf_expected_header | The custom HTTP request header, where the CSRF token value is expected to be encountered | string |
"x-csrf-token" |
no |
| csrf_expected_size | The size in bytes of the CSRF token value. For example if it's a canonically formatted UUIDv4 value the expected size would be 36 bytes/ASCII characters. | string |
"36" |
no |
| description | The description of these resources. | string |
n/a | yes |
| environment | The environment of these resources belong to. | string |
n/a | yes |
| max_expected_body_size | Maximum number of bytes allowed in the body of the request. If you do not plan to allow large uploads, set it to the largest payload value that makes sense for your web application. Accepting unnecessarily large values can cause performance issues, if large payloads are used as an attack vector against your web application. | string |
"4096" |
no |
| max_expected_cookie_size | Maximum number of bytes allowed in the cookie header. The maximum size should be less than 4096, the size is determined by the amount of information your web application stores in cookies. If you only pass a session token via cookies, set the size to no larger than the serialized size of the session token and cookie metadata. | string |
"4093" |
no |
| max_expected_query_string_size | Maximum number of bytes allowed in the query string component of the HTTP request. Normally the of query string parameters following the ? in a URL is much larger than the URI , but still bounded by the of the parameters your web application uses and their values. | string |
"1024" |
no |
| max_expected_uri_size | Maximum number of bytes allowed in the URI component of the HTTP request. Generally the maximum possible value is determined by the server operating system (maps to file system paths), the web server software, or other middleware components. Choose a value that accomodates the largest URI segment you use in practice in your web application. | string |
"512" |
no |
| product_domain | The name of the product domain these resources belong to. | string |
n/a | yes |
| service_name | The name of the service these resources belong to. | string |
n/a | yes |
| target_scope | Valid values are global and regional. If global, means resources created will be for global targets such as Amazon CloudFront distribution. For regional targets like ALBs and API Gateway stages, set to regional
|
string |
n/a | yes |
Outputs
| Name | Description |
|---|---|
| rule01_sql_injection_rule_id | AWS WAF Rule which mitigates SQL Injection Attacks. |
| rule02_auth_token_rule_id | AWS WAF Rule which blacklists bad/hijacked JWT tokens or session IDs. |
| rule03_xss_rule_id | AWS WAF Rule which mitigates Cross Site Scripting Attacks. |
| rule04_paths_rule_id | AWS WAF Rule which mitigates Path Traversal, LFI, RFI. |
| rule06_php_insecure_rule_id | AWS WAF Rule which mitigates PHP Specific Security Misconfigurations. |
| rule07_size_restriction_rule_id | AWS WAF Rule which mitigates abnormal requests via size restrictions. |
| rule08_csrf_rule_id | AWS WAF Rule which enforces the presence of CSRF token in request header. |
| rule09_server_side_include_rule_id | AWS WAF Rule which blocks request patterns for webroot objects that shouldn't be directly accessible. |
| rule_group_id | AWS WAF Rule Group which contains all rules for OWASP Top 10 protection. |
Contributing
This module accepting or open for any contributions from anyone, please see the CONTRIBUTING.md for more detail about how to contribute to this module.
License
This module is under Apache License 2.0 - see the LICENSE file for details.https://github.com/siahaanbernard)
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].