Enabling App and API Protection for AWS WAF

문서 > Datadog 보안 > 애플리케이션 보안 관리 > Enabling App and API Protection > Enabling App and API Protection for AWS WAF

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

App and API Protection integrates with AWS Web Application Firewall (WAF) by:

Converting logs to traces to gain visibility into monitored and blocked requests
Blocking IP addresses with AWS WAF IPsets

Both can be set up independently, but it is recommended to first set up the conversion of logs to traces in order to inspect the AWS WAF actions.

Prerequisites

The Amazon Web Services integration is setup.
Metrics, and Logs collection are enabled on the AWS WAF integration.
A Connection is created with the AWS account hosting the AWS WAF used for blocking.

Convert AWS WAF logs to traces

First, enable the conversion of logs to traces on the Settings page.

Then, ensure the web ACLs table contains request metrics as well as logs and traces.

Security traces are reported in the AAP Traces Explorer with service name aws.waf.

Block with AWS WAF IPsets

To block attackers, Datadog needs to manage a dedicated IPset. This IPset must be referenced by the web ACL with a rule in blocking mode.

Multiple web ACLs can be set up in the same or in different AWS accounts. A Connection must be created on every AWS account.

Ensure the AWS role attached to the Connection has the following permissions:

GetIPSet
UpdateIPSet

Edit your Terraform configuration with the following content:

resource "aws_wafv2_ip_set" "Datadog-blocked-ipv4s" {
  name               = "Datadog-blocked-ipv4s"
  ip_address_version = "IPV4"
  scope              = "CLOUDFRONT"
  addresses          = []

  lifecycle {
    # The addresses are managed by the Datadog Application Security product.
    ignore_changes = [addresses]
  }
}

# Add a blocking rule to your existing web ACL resource
resource "aws_wafv2_web_acl" "EdgeWAF" {
  name  = "EdgeWAF"
  description = "undefined"
  scope = "CLOUDFRONT"

  default_action {
    allow {}
  }

  rule {
    name     = "BlockedIPs"
    priority = 0

    action {
      block {}
    }

    statement {
      ip_set_reference_statement {
        arn = aws_wafv2_ip_set."Datadog-blocked-ipv4s".arn
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Datadog-blocked-ipv4s"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "EdgeWAF"
    sampled_requests_enabled   = true
  }
}

Run terraform apply to create and update the WAF resources.

After setup is complete, click Block New Attackers on the App & API Protection denylist page. Select the web ACL and associated AWS connection to block IP addresses.