Enabling App and API Protection for AWS WAF

Docs > Datadog Security > Application Security Management > Enabling App and API Protection > Enabling App and API Protection for AWS WAF

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

App and API Protection integrates with AWS Web Application Firewall (WAF) by:

Converting logs to traces to gain visibility into monitored and blocked requests
Blocking IP addresses with AWS WAF IPsets

Both can be set up independently, but it is recommended to first set up the conversion of logs to traces in order to inspect the AWS WAF actions.

Prerequisites

The Amazon Web Services integration is setup.
Metrics, and Logs collection are enabled on the AWS WAF integration.
A Connection is created with the AWS account hosting the AWS WAF used for blocking.

Convert AWS WAF logs to traces

First, enable the conversion of logs to traces on the Settings page.

Then, ensure the web ACLs table contains request metrics as well as logs and traces.

Security traces are reported in the AAP Traces Explorer with service name aws.waf.

Block with AWS WAF IPsets

To block attackers, Datadog needs to manage a dedicated IPset. This IPset must be referenced by the web ACL with a rule in blocking mode.

Multiple web ACLs can be set up in the same or in different AWS accounts. A Connection must be created on every AWS account.

Ensure the AWS role attached to the Connection has the following permissions:

GetIPSet
UpdateIPSet

Edit your Terraform configuration with the following content:

resource "aws_wafv2_ip_set" "Datadog-blocked-ipv4s" {
  name               = "Datadog-blocked-ipv4s"
  ip_address_version = "IPV4"
  scope              = "CLOUDFRONT"
  addresses          = []

  lifecycle {
    # The addresses are managed by the Datadog Application Security product.
    ignore_changes = [addresses]
  }
}

# Add a blocking rule to your existing web ACL resource
resource "aws_wafv2_web_acl" "EdgeWAF" {
  name  = "EdgeWAF"
  description = "undefined"
  scope = "CLOUDFRONT"

  default_action {
    allow {}
  }

  rule {
    name     = "BlockedIPs"
    priority = 0

    action {
      block {}
    }

    statement {
      ip_set_reference_statement {
        arn = aws_wafv2_ip_set."Datadog-blocked-ipv4s".arn
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Datadog-blocked-ipv4s"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "EdgeWAF"
    sampled_requests_enabled   = true
  }
}

Run terraform apply to create and update the WAF resources.

After setup is complete, click Block New Attackers on the App & API Protection denylist page. Select the web ACL and associated AWS connection to block IP addresses.