Got a false positive! AWS WAF HostingProviderIPList may block system linking.
Masayoshi Haruta
Posted on October 9, 2022
I ran into a false positive the other day, so I'd share it; There is a rule AWSManagedRulesAnonymousIpList
in AWS WAF v2, use of the HostingProviderIPList
in it may need a little care in a particular situation.
What the problem
First, let me explain what the rules are.
RuleName | Detail |
---|---|
AWSManagedRulesAnonymousIpList | Inspects for a list of IP addresses of sources known to anonymize client information, like TOR nodes, temporary proxies, and other masking services. |
HostingProviderIPList | Inspects for a list of IP addresses from hosting and cloud providers, which are less likely to source end-user traffic. The IP list does not include AWS IP addresses. |
It is a very useful rule set that usually blocks suspicious accesses. However, the other day I decided to integrate the web service with my customer's external system, and when testing, we encountered a problem where communication could not be established and the service was blocked. As a result, we have set the rule set to "Count" and are now observing whether we should really turn off the rule set.
Workaround
I used Terraform to build the WAF, so this will be an explanation using Terraform. The change is quite simple, just add excluded_rule
to the rule in the aws_wafv2_web_acl
I hope it will be of some help to anyone who is encountering the same problem.
Appendix
By the way, if you want to build a WAF using Terraform, please refer to my previous article!
How to set up AWS WAF v2 with Terraform
Masayoshi Haruta for AWS Community Builders ・ Jul 15 '22 ・ 7 min read
Thank you for reading!
Posted on October 9, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.