Bot Detection and Mitigation for AI Services with AWS WAFv2

Question

Pulumi · Accepted Answer

To set up bot detection and mitigation for AI services using AWS WAFv2, we will create a Web Access Control List (Web ACL) and define rules that specify the conditions under which requests should be allowed, blocked, or counted for further analysis. AWS WAFv2 enables you to manage bots by leveraging managed rule sets such as the AWSManagedRulesCommonRuleSet which includes rules that are generally applicable to web applications.

Below is a detailed Pulumi program written in Python that creates a WAFv2 Web ACL with a default action to block requests that do not match any rules. We'll add a managed rule group to it, which includes predefined rules managed by AWS that offer protection against common web exploits and bots.

The program performs the following steps:
1. Creates an IP set to define which IP addresses are allowed or blocked.
2. Defines a rule to include the AWS managed rule set for common attacks, including bot control.
3. Sets up a Web ACL with rules associated, including the managed rule set.
4. (Optionally) Associate the Web ACL with an AWS resource, such as an Application Load Balancer or an API Gateway. This part is commented out and can be customized based on the actual resource you want to protect with WAF.

Here is the Python program that accomplishes this:

```python
import pulumi
import pulumi_aws as aws

# Create an IP Set - this can be used to allow or block specific IP addresses or ranges
ip_set = aws.wafv2.IpSet("myIpSet",
    scope="REGIONAL",  # Change to "CLOUDFRONT" if you're using this with Amazon CloudFront
    ip_address_version="IPV4",
    addresses=[
        "192.0.2.44/32",
        "203.0.113.0/24",
    ],
    # Optional: add a description for this IP set
    description="My IP Set for allowing specific IP ranges",
)

# Define a rule to include the AWS managed rule set for common web exploits, including bot control
managed_rule_group_statement = aws.wafv2.RuleGroupRule(
    name="AWS-AWSManagedRulesCommonRuleSet",
    priority=0,
    override_action={"none": {}},  # This ensures that the managed rule group action is taken
    visibility_config={
        "cloudwatch_metrics_enabled": True,
        "metric_name": "AWSManagedRulesCommon",
        "sampled_requests_enabled": True,
    },
    statement={
        "managed_rule_group_statement": {
            "vendor_name": "AWS",
            "name": "AWSManagedRulesCommonRuleSet",
        },
    },
)

# Create a Web ACL
web_acl = aws.wafv2.WebAcl("myWebAcl",
    scope="REGIONAL",  # Change to "CLOUDFRONT" if you're using this with Amazon CloudFront
    default_action={"block": {}},  # Default action to take when a request doesn't match any rules
    visibility_config={
        "cloudwatch_metrics_enabled": True,
        "metric_name": "WebAcl",
        "sampled_requests_enabled": True,
    },
    rules=[
        managed_rule_group_statement,
    ],
    # Optional: add a description for this ACL
    description="My Web ACL to manage common web exploits and bots",
)

# OPTIONAL: Associate the Web ACL with a specific AWS resource such as an Application Load Balancer
# web_acl_association = aws.wafv2.WebAclAssociation("myWebAclAssociation",
#     resource_arn="the ARN of the resource",  # Replace with the actual ARN
#     web_acl_arn=web_acl.arn,
# )

# Export the Web ACL ID
pulumi.export("web_acl_id", web_acl.id)
```

In this program, the `ip_set` resource is used to maintain a list of allowed or blocked IP addresses. Adjust the IP addresses in the `addresses` list as per your requirements.

The `managed_rule_group_statement` represents a wrapper around the managed rule provided by AWS which targets common web attacks. Managed rules are predefined, maintained, and updated by AWS, therefore requiring less effort to set up.

The `web_acl` resource is the container for rules that define the web ACL behavior. Our default action is to block requests. We include our managed rule set in the rules list of the web ACL.

The `web_acl_association` is commented out, but it shows how you could associate your web ACL with a specific AWS resource.

Remember to replace the `resource_arn` value with the actual ARN of the AWS resource you want to protect with WAFv2.

Please ensure that your AWS credentials are configured correctly in your environment for Pulumi to manage these resources. You'll need to have an AWS account and the correct permissions to create these resources.