TechQA.

Disable NonBrowserUserAgent in AWS CDK Waf

43 views Asked by At

We set up a WAF in AWS CDK with default rules, and it includes a rule that blocks any request with SignalNonBrowserUserAgent. It's tough to get around this when your clients are apps or postman or python requests.

I couldn't not find a solution to this and spent a few days figuring it out so I'm documenting the setup and solution for anyone else that has struggled with this. The WAF was instantiated with the following code

    from aws_solutions_constructs.aws_wafwebacl_apigateway import WafwebaclToApiGateway
    my_waf = WafwebaclToApiGateway(scope, waf_id, existing_api_gateway_interface=gateway)
python amazon-web-services aws-cdk web-application-firewall
Original Q&A
1

There are 1 answers

0
RooterTooter On

Solution:

I first used the webconsole to manually disable this signal. Click your WebACL -> Rules -> AWSManagedRulesBotControlRuleSet -> Edit. Once the signal was disabled, I looked in the JSON tab to find the correct format of the rule.

{
  "Name": "AWS-AWSManagedRulesBotControlRuleSet",
  "Priority": 0,
  "Statement": {
    "ManagedRuleGroupStatement": {
      "VendorName": "AWS",
      "Name": "AWSManagedRulesBotControlRuleSet",
      "RuleActionOverrides": [
        {
          "Name": "SignalNonBrowserUserAgent",
          "ActionToUse": {
            "Allow": {}
          }
        }
      ]
    }
  },
  "OverrideAction": {
    "None": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "AWSManagedRulesBotControlRuleSet"
  }
}

Then checked the `cdk.out/<my_stack>.template.json folder to find where this rule was located to add a rule override in the correct spot.

The final code ended up being


        my_waf = WafwebaclToApiGateway(scope, waf_id, existing_api_gateway_interface=gateway)

        # Override the SignalNonBrowserUserAgent to allow
        non_browser_override = [
            {"Name": "SignalNonBrowserUserAgent", "ActionToUse": {"Allow": {}}}
        ]

        # Find the index of the AWSManagedRulesBotControlRuleSet group
        i = 0
        for rule in my_waf.webacl.rules:  # type: ignore
            if isinstance(rule, waf.CfnWebACL.RuleProperty):
                if rule.name == "AWS-AWSManagedRulesBotControlRuleSet":
                    my_waf.webacl.add_property_override(
                        f"Rules.{i}.Statement.ManagedRuleGroupStatement.RuleActionOverrides",
                        non_browser_override,
                    )
                    break
            i += 1

I hope this saves someone else some time.

Related Questions in PYTHON

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AWS-CDK

Related Questions in WEB-APPLICATION-FIREWALL

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions