1. Real-time Inference Traffic Filtering with AWS WAF


    AWS WAF (Web Application Firewall) is a web application firewall service that helps protect web applications from common web exploits and bots that could affect application availability, compromise security, or consume excessive resources. Using AWS WAF, you can create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application.

    Real-time inference traffic filtering with AWS WAF involves creating a set of rules that analyze and filter traffic in real-time, blocking potentially harmful requests before they reach your application.

    Below, you'll find a Pulumi program written in Python that sets up an AWS WAF Web ACL (Access Control List) with a basic set of rules to filter web traffic. This program can be a starting point for setting up your traffic filtering requirements. It includes:

    • A WAF IP set to block requests from specified IP addresses.
    • A byte match set to filter requests based on byte sequences.
    • A SQL injection attack condition.
    • A size constraint condition.
    • A Web ACL that brings all conditions together to filter the incoming traffic.

    The following Pulumi Python program demonstrates how to use these resources to create a basic WAF setup:

    import pulumi import pulumi_aws as aws # Create a new WAF IP Set ip_set = aws.waf.IpSet("ipSet", ip_set_descriptors=[ aws.waf.IpSetIpSetDescriptorArgs( type="IPV4", value="" ) ] ) # Create a new WAF Byte Match Set byte_match_set = aws.waf.ByteMatchSet("byteMatchSet", byte_match_tuples=[ aws.waf.ByteMatchSetByteMatchTupleArgs( field_to_match=aws.waf.ByteMatchSetByteMatchTupleFieldToMatchArgs( type="QUERY_STRING" ), positional_constraint="CONTAINS", target_string="bad-content", text_transformation="URL_DECODE" ) ] ) # Create a new WAF SQL Injection Match Set sql_injection_match_set = aws.waf.SqlInjectionMatchSet("sqlInjectionMatchSet", sql_injection_match_tuples=[ aws.waf.SqlInjectionMatchSetSqlInjectionMatchTupleArgs( field_to_match=aws.waf.SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatchArgs( type="QUERY_STRING" ), text_transformation="URL_DECODE" ) ] ) # Create a new WAF Size Constraint Set size_constraint_set = aws.waf.SizeConstraintSet("sizeConstraintSet", size_constraints=[ aws.waf.SizeConstraintSetSizeConstraintArgs( comparison_operator="GE", field_to_match=aws.waf.SizeConstraintSetSizeConstraintFieldToMatchArgs( type="QUERY_STRING" ), size=1024, text_transformation="NONE" ) ] ) # Create a new WAF Web ACL web_acl = aws.waf.WebAcl("webAcl", default_action=aws.waf.WebAclDefaultActionArgs( type="ALLOW" ), metric_name="webAclMetric", rules=[ aws.waf.WebAclRuleArgs( action=aws.waf.WebAclRuleActionArgs( type="BLOCK" ), priority=1, rule_id=ip_set.id, type="REGULAR" ), aws.waf.WebAclRuleArgs( action=aws.waf.WebAclRuleActionArgs( type="BLOCK" ), priority=2, rule_id=byte_match_set.id, type="REGULAR" ), aws.waf.WebAclRuleArgs( action=aws.waf.WebAclRuleActionArgs( type="BLOCK" ), priority=3, rule_id=sql_injection_match_set.id, type="REGULAR" ), aws.waf.WebAclRuleArgs( action=aws.waf.WebAclRuleActionArgs( type="BLOCK" ), priority=4, rule_id=size_constraint_set.id, type="REGULAR" ) ] ) # Output the IDs of the created resources pulumi.export("web_acl_id", web_acl.id) pulumi.export("ip_set_id", ip_set.id) pulumi.export("byte_match_set_id", byte_match_set.id) pulumi.export("sql_injection_match_set_id", sql_injection_match_set.id) pulumi.export("size_constraint_set_id", size_constraint_set.id)

    Let's break down this program:

    • We start by creating an IP set, which is a list of IP addresses that we want to block. In this example, we block the IP range
    • Next, we create a byte match set that filters requests containing the string "bad-content" in the query string after URL decoding the input.
    • We then define a SQL injection match set to identify and filter out requests that include elements of a SQL injection attack.
    • Alongside, we create a size constraint set which matches queries greater than 1024 bytes, which is a simple way to filter out unusually large requests.
    • Finally, we combine these conditions into a web ACL, which processes incoming requests and blocks those that match any of the specified conditions. The default action is to allow requests, so only those specified by the rules will be blocked.
    • The priority parameter orders the way rules are evaluated. Lower numbers denote higher priority; rules are processed from lowest to highest number.
    • The program exports the IDs of the resources to be possibly used in other programs or for reference.

    This Web ACL can then be associated with an AWS resource such as an Application Load Balancer or an Amazon CloudFront distribution to protect your applications and services in real-time. This program provides a foundational setup, and you can further customize it based on your own application's requirements and the threats you want to mitigate.

    Remember to replace the example IPs and strings with values that are relevant to your application and security needs.

    This Pulumi program will need to be deployed using the Pulumi CLI. First, you write this code into a file with a .py extension, then you run pulumi update to provision the resources defined in this code. You must have AWS credentials configured on the machine where you're running Pulumi and the appropriate AWS permissions to create WAF resources.