Using AWS WAF Rule Groups To Build Complex Rules- Part 2
In https://medium.com/aws-tip/using-aws-waf-rule-groups-to-build-complex-rules-5a93bc946391, we discussed how we can use WAF rule groups to allow access to a URL only if it’s coming from a specific country and contains a specific header. In this post, we’ll see how we can do the same with regular nested rules.
We have 4 urls: <alb_dns>/website1.html,<alb_dns>/website2.html,<alb_dns>/website3.html and <alb_dns>/website4.html. We’ll configure WAF rules so that website1 and website2 are only accessible from Singapore and also requires a header to be passed while website3 and website4 can be accessed from Singapore without requiring any header.
Rule 1:
{
"Name": "Block-Test-URIs-NotSingapore-OrInvalidHeader",
"Priority": 0,
"Statement": {
"AndStatement": {
"Statements": [
{
"OrStatement": {
"Statements": [
{
"ByteMatchStatement": {
"SearchString": "/website1.html",
"FieldToMatch": {
"UriPath": {}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "EXACTLY"
}
},
{
"ByteMatchStatement": {
"SearchString": "/website2.html",
"FieldToMatch": {
"UriPath": {}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "EXACTLY"
}
}
]
}
},
{
"OrStatement": {
"Statements": [
{
"NotStatement": {
"Statement": {
"GeoMatchStatement": {
"CountryCodes": [
"SG"
]
}
}
}
},
{
"NotStatement": {
"Statement": {
"ByteMatchStatement": {
"SearchString": "123",
"FieldToMatch": {
"SingleHeader": {
"Name": "test"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "EXACTLY"
}
}
}
}
]
}
}
]
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "Block-Test-URIs-NotSingapore-OrInvalidHeader"
}
}Rule 2:
{
"Name": "Block-Test-URIs-NotSingapore",
"Priority": 1,
"Statement": {
"AndStatement": {
"Statements": [
{
"OrStatement": {
"Statements": [
{
"ByteMatchStatement": {
"SearchString": "/website3.html",
"FieldToMatch": {
"UriPath": {}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "EXACTLY"
}
},
{
"ByteMatchStatement": {
"SearchString": "/website4.html",
"FieldToMatch": {
"UriPath": {}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "EXACTLY"
}
}
]
}
},
{
"NotStatement": {
"Statement": {
"GeoMatchStatement": {
"CountryCodes": [
"SG"
]
}
}
}
}
]
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "Block-Test-URIs-NotSingapore"
}
}Can change PositionalConstraint”: “EXACTLY” to PositionalConstraint”: “CONTAINS” if required.
Now test it from Singapore
and from any other region
