If you are using the AWS Web Application Firewall (WAF) on your Application Load Balancer or other supported AWS entity, you probably don’t want any administrative interfaces of the web application presented directly to the Internet without some form of restriction; perhaps to a range of IPv4 addresses you want to restrict.
Adding a rule to your WebACL to block is pretty straightforward, you would just add the below section of code into your CloudFormation template within a WebACL. you also need to specify a trusted IP list, this can be in IPv4, IPv6 or both (although you may need two separate declarations for each IPv4 and IPv6).
The below is a Rule that you would add into the “Rules” section of a AWS::WAFv2::WebACL resource. The IP Set is separate from this WebACL resource.
...
- Name: AllowAdmin
Priority: 9
Statement:
AndStatement:
Statements:
- NotStatement:
Statement:
IPSetReferenceStatement:
Arn: !GetAtt AllowedAdminIPSet.Arn
- ByteMatchStatement:
FieldToMatch:
UriPath: {}
SearchString: "/admin"
PositionalConstraint: "STARTS_WITH"
TextTransformations:
- Priority: 0
Type: NONE
...
AllowedAdminIPSet:
Type: AWS::WAFv2::IPSet
Properties:
Description: AdminIPSet
Name: AdminIPSet
Scope: REGIONAL
IPAddressVersion: IPV4
Addresses:
- 1.2.3.4
- 5.6.7.8
The IP Set contains the IPv4 or IPv6 addresses you will allow access to the administrative interface from, if a client attempts to connect to the administrative interface and their source IP address is not one of those listed, the connection is blocked. You’ll notice that the IPSetReferencesStatement uses the !GetAtt function to query the AllowedAdminIPSet object for its ARN, you can’t just use a !Ref in this case, it must refer to the ARN of the IP Set to work.