- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Verify that your AWS CloudFront distributions are integrated with AWS Web Application Firewall (AWS WAF).
AWS WAF helps protect web applications from common exploits, such as SQL injection or cross-site scripting.
Follow the associate or disassociate an AWS WAF web ACL and an existing CloudFront distribution by using the CloudFront console docs to integrate with AWS WAF.
Run aws waf get-change-token
to generate a token.
Run aws waf create-ip-set
with your newly generated token. Additional information can be found in the create-ip-set AWS documentation.
create-ip-set.sh
create-ip-set
--name test_ipset
--change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5
Create an IPSetDescriptor
JSON object in a new document and define the IP address or ranges you wish to block. Save the file.
ip-set-descriptor.sh
[
{
"Action": "INSERT",
"IPSetDescriptor": {
"Type": "IPV4" | "IPV6",
"Value": "192.0.2.0/24"
}
}
]
Run aws waf update-ip-set
with the change-token
(generated in step 1), ip-set-id
(generated in step 2), and the file you just created. Additional information can be found in the update-ip-set AWS documentation.
update-ip-set.sh
aws waf update-ip-set
--ip-set-id bd12ea6c-012a-4b7c-9342-80ab96e4b291
--change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5
--updates file://ip-set-descriptor.json
Run aws waf create-rule
with a new rule name
and your change-token
(generated in step 1). Additional information can be found in the create-rule AWS documentation.
create-rule.sh
aws waf create-rule
--name NameOfRule
--change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5
Run aws waf create-web-acl
with a name
and your change-token
(generated in step 1), and set the default action to block. Additional information can be found in the create-web-acl AWS documentation.
create-web-acl.sh
aws waf create-web-acl
--name NameOfACL
--default-action Type=BLOCK
--change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5
Create a new JSON file and define ActivatedRule
as an object that references the ACL rule created in step 6. Assign it a default action, INSERT
.
actived-rule.json
[
{
"Action": "INSERT",
"ActivatedRule": {
"RuleId": "your-rule-id",
"Action": {
"Type": "BLOCK"
}
}
}
]
Run update-web-acl
with the web-acl-id
(generated in step 5), change-token
(generated in step 1), and the file you just created in step 7.
update-web-acl.sh
aws waf update-web-acl
--web-acl-id webaclid
--change-token 96836241-b667-4f0a-a655-e4bc49eaa2c4
--update activated-rule.json
Run get-distribution-config
.
In a new JSON file, modify the returned configuration information to attach the WAF ACL. Set the WebACLId
as the ID you returned in step 5. Save the file.
activated-rule.json
{
"ETag": "etag",
"DistributionConfig": {
...
"WebACLId": "webaclid",
...
}
}
Run update-distribution
with the id
and etag
previously returned in step 9. Additional information can be found in the update-distribution AWS documentation.
update-distribution.sh
aws cloudfront update-distribution
--id webaclid
--distribution-config activated-ruled.json
--if-match etag