-
Notifications
You must be signed in to change notification settings - Fork 0
/
AWSWebApplicationFirewall.yaml
258 lines (234 loc) · 11.5 KB
/
AWSWebApplicationFirewall.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
version: 1
ATT&CK version: 9
creation date: 05/25/2021
name: AWS Web Application Firewall
contact: [email protected]
organization: Center for Threat Informed Defense (CTID)
platform: AWS
tags:
- Network
description: >-
The AWS Web Application Firewall (WAF) protects web applications and Application Programmer
Interfaces (APIs) from exploits and bots that may impact the availability and security of
resources by filtering out unwanted or malicious web traffic based on a set of rules. AWS WAF can
be configured to control how Amazon CloudFront, Amazon API Gateway REST API, Application Load
Balancer, and AWS AppSync GraphQL API respond to web requests. This mapping focuses on the AWS
Managed Rules rule groups currently available. It does not cover paid solutions from Amazon or
managed rules from Amazon Marketplace.
techniques:
- id: T1190
name: Exploit Public-Facing Application
technique-scores:
- category: Protect
value: Significant
comments: >-
The AWS WAF protects public-facing applications against a range of vulnerabilities
including those listed in the OWASP Top 10. AWS WAF provides this protection via the
following rule sets that block malicious traffic across a variety of operating systems and
applications.
AWSManagedRulesCommonRuleSet
AWSManagedRulesKnownBadInputRuleSet
AWSManagedRulesSQLiRuleSet
AWSManagedRulesLinuxRuleSet
AWSManagedRulesUnixRuleSet
AWSManagedRulesWindowsRuleSet
AWSManagedRulesPHPRuleSet
AWSManagedRulesWordPressRuleSet
This is given a score of Significant because it protects against vulnerabilities across
multiple operating systems (Windows, Linux, POSIX) and technologies (JavaScript, SQL, PHP, WordPress).
Furthermore, it blocks the malicious content in near real-time.
- id: T1189
name: Drive-by Compromise
technique-scores:
- category: Protect
value: Significant
comments: >-
AWS WAF protects against drive-by compromises by blocking malicious traffic that contains
cross-site scripting patterns with the following rule set.
AWSManagedRulesCommonRuleSet
This is scored as Significant because the rule set is broadly applicable to web
applications and blocks the malicious traffic in near real-time.
- id: T1203
name: Exploitation for Client Execution
technique-scores:
- category: Protect
value: Significant
comments: >-
AWS WAF protects against exploitation for client execution (browser-based exploitation) by
blocking malicious traffic that contains cross-site scripting patterns with the following
rule set.
AWSManagedRulesCommonRuleSet
This is scored as Significant because the rule set is broadly applicable to web
applications and blocks the malicious traffic in near real-time.
- id: T1059
name: Command and Scripting Interpreter
technique-scores:
- category: Protect
value: Partial
comments: >-
The AWS WAF protects web applications from injection attacks that leverage command and
scripting interpreters. AWS WAF provides this protection via the following rule sets that
block malicious traffic across a variety of operating systems and applications.
AWSManagedRulesCommonRuleSet
AWSManagedRulesSQLiRuleSet
AWSManagedRulesUnixRuleSet
AWSManagedRulesWindowsRuleSet
AWSManagedRulesPHPRuleSet
AWSManagedRulesWordPressRuleSet
This is given a score of Partial (instead of Minimal) because while it only protects
against a subset of sub-techniques (3 out of 8), it does provide protections for command
and scripting interpreters that do not have sub-techniques (SQL, PHP, etc.). Furthermore,
it blocks the malicious content in near real-time.
sub-techniques-scores:
- sub-techniques:
- id: T1059.001
name: PowerShell
- id: T1059.004
name: Unix Shell
- id: T1059.007
name: JavaScript
scores:
- category: Protect
value: Significant
comments: >-
The AWS WAF protects web applications from injection attacks that leverage command and
scripting interpreters. AWS WAF provides this protection via the following rule sets
that block malicious traffic across a variety of operating systems and applications.
AWSManagedRulesCommonRuleSet
AWSManagedRulesSQLiRuleSet
AWSManagedRulesUnixRuleSet
AWSManagedRulesWindowsRuleSet
AWSManagedRulesPHPRuleSet
AWSManagedRulesWordPressRuleSet
This is given a score of Significant because it provides protections for
PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious
content in near real-time.
- id: T1090
name: Proxy
technique-scores:
- category: Protect
value: Partial
comments: >-
The AWS WAF protects web applications from access by adversaries that leverage tools that
obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this
protection via the following rule set that blocks incoming traffic from IP addresses known
to anonymize connection information or be less likely to source end user traffic.
AWSManagedRulesAnonymousIpList
This is given a score of Partial because it provides protections for only a subset of the
sub-techniques (2 out of 4) and is based only on known IP addresses. Furthermore, it
blocks the malicious content in near real-time.
sub-techniques-scores:
- sub-techniques:
- id: T1090.002
name: External Proxy
- id: T1090.003
name: Multi-hop Proxy
scores:
- category: Protect
value: Partial
comments: >-
The AWS WAF protects web applications from access by adversaries that leverage tools
that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF
provides this protection via the following rule set that blocks incoming traffic from
IP addresses known to anonymize connection information or be less likely to source end
user traffic.
AWSManagedRulesAnonymousIpList
This is given a score of Partial because it provide protections for only a subset of
the sub-techniques (2 out of 4) and is based only on known IP addresses. Furthermore,
it blocks the malicious content in near real-time.
- id: T1595
name: Active Scanning
technique-scores:
- category: Protect
value: Partial
comments: >-
AWS WAF protects against bots that run scans against web applications such as Nessus
(vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF
does this by blocking malicious traffic that indicates bad bots such as those listed above
(e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this
protection.
AWSManagedRulesCommonRuleSet
AWSManagedRulesBotControlRuleSet
This is scored as Partial because the rule sets, while they block malicious traffic in
near real-time, only protect web applications against scans performed by bots.
sub-techniques-scores:
- sub-techniques:
- id: T1595.001
name: Scanning IP Blocks
- id: T1595.002
name: Vulnerability Scanning
scores:
- category: Protect
value: Partial
comments: >-
AWS WAF protects against bots that run scans against web applications such as Nessus
(vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF
does this by blocking malicious traffic that indicate bad bots such as those listed
above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide
this protection.
AWSManagedRulesCommonRuleSet
AWSManagedRulesBotControlRuleSet
This is scored as Partial because the rule sets, while they block malicious traffic
in near real-time, only protect web applications against scans performed by bots.
- id: T1046
name: Network Service Scanning
technique-scores:
- category: Protect
value: Partial
comments: >-
AWS WAF protects against bots that run scans against web applications such as Nessus
(vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF
does this by blocking malicious traffic that indicate bad bots such as those listed above
(e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this
protection.
AWSManagedRulesCommonRuleSet
AWSManagedRulesBotControlRuleSet
This is scored as Partial because the rule sets, while they block malicious traffic in
near real-time, only protect web applications against scans performed by bots.
- id: T1071
name: Application Layer Protocol
technique-scores:
- category: Protect
value: Minimal
comments: >-
AWS WAF protects against this by inspecting incoming requests and blocking malicious
traffic. AWS WAF uses the following rule sets to provide this protection.
AWSManagedRulesCommonRuleSet
AWSManagedRulesAdminProtectionRuleSet
AWSManagedRulesKnownBadInputsRuleSet
AWSManagedRulesSQLiRuleSet
AWSManagedRulesLinuxRuleSet
AWSManagedRulesUnixRuleSet
AWSManagedRulesWindowsRuleSet
AWSManagedRulesPHPRuleSet
AWSManagedRulesWordPressRuleSet
AWSManagedRulesBotControlRuleSet
This is scored as Minimal because the rule sets only protect against a subset of the
sub-techniques (1 of 4).
sub-techniques-scores:
- sub-techniques:
- id: T1071.001
name: Web Protocols
scores:
- category: Protect
value: Minimal
comments: >-
AWS WAF protects against this by inspecting incoming requests and blocking malicious
traffic. AWS WAF uses the following rule sets to provide this protection.
AWSManagedRulesCommonRuleSet
AWSManagedRulesAdminProtectionRuleSet
AWSManagedRulesKnownBadInputsRuleSet
AWSManagedRulesSQLiRuleSet
AWSManagedRulesLinuxRuleSet
AWSManagedRulesUnixRuleSet
AWSManagedRulesWindowsRuleSet
AWSManagedRulesPHPRuleSet
AWSManagedRulesWordPressRuleSet
AWSManagedRulesBotControlRuleSet
This is scored as Minimal because the rule sets only protect against the web protocols
sub-technique.
references:
- 'https://aws.amazon.com/waf/'
- 'https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html'
- 'https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html'
- 'https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html'