Input Sanitization for AI Web Applications with AWS WAF

Question

Pulumi · Accepted Answer

AWS WAF (Web Application Firewall) provides a way to protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. To set up basic input sanitization for your AI web applications, you can define a set of rules that inspect parts of each request to your application and block potentially malicious requests.

Pulumi allows you to define these rules and resources using infrastructure as code, making your setup easily reproducible and versionable.

Let's create a Pulumi program in Python that sets up an AWS WAF with rules to protect against SQL injection and Cross-Site Scripting (XSS) attacks:

1. **SQL Injection Protection**: We will create a `SqlInjectionMatchSet` that contains rules that look for common SQL injection patterns in query strings or body arguments.
2. **XSS Protection**: We will create an `XssMatchSet` that contains rules that inspect the body of POST requests for cross-site scripting attacks.
3. **Rule and WebAcl**: We will then create `Rules` that match those patterns and add them to a `WebAcl`, assigning an action for AWS WAF to take when a request matches the rule (e.g., block the request).

Below is a Pulumi program that accomplishes this:

```python
import pulumi
import pulumi_aws as aws

# Create SQL Injection Match Set
sql_injection_match_set = aws.waf.SqlInjectionMatchSet("sqlInjectionMatchSet",
    name="sqlInjectionMatchSet",
    sql_injection_match_tuples=[
        aws.waf.SqlInjectionMatchSetSqlInjectionMatchTupleArgs(
            field_to_match=aws.waf.SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatchArgs(
                type="QUERY_STRING"
            ),
            text_transformation="URL_DECODE"
        )
    ]
)

# Create XSS Match Set
xss_match_set = aws.waf.XssMatchSet("xssMatchSet",
    name="xssMatchSet",
    xss_match_tuples=[
        aws.waf.XssMatchSetXssMatchTupleArgs(
            field_to_match=aws.waf.XssMatchSetXssMatchTupleFieldToMatchArgs(
                type="BODY"
            ),
            text_transformation="URL_DECODE"
        )
    ]
)

# Create a Rule referencing the SQL Injection Match Set
sql_injection_rule = aws.waf.Rule("sqlInjectionRule",
    name="sqlInjectionRule",
    metric_name="sqlInjectionMetric",
    predicates=[
        aws.waf.RulePredicateArgs(
            data_id=sql_injection_match_set.id,
            negated=False,
            type="SqlInjectionMatch"
        )
    ]
)

# Create a Rule referencing the XSS Match Set
xss_match_rule = aws.waf.Rule("xssMatchRule",
    name="xssMatchRule",
    metric_name="xssMatchMetric",
    predicates=[
        aws.waf.RulePredicateArgs(
            data_id=xss_match_set.id,
            negated=False,
            type="XssMatch"
        )
    ]
)

# Create a Web ACL which will utilize the rules
web_acl = aws.waf.WebAcl("webAcl",
    name="webAcl",
    metric_name="webAclMetric",
    default_action=aws.waf.WebAclDefaultActionArgs(
        type="ALLOW"
    ),
    rules=[
        aws.waf.WebAclRuleArgs(
            action=aws.waf.WebAclRuleActionArgs(
                type="BLOCK"
            ),
            priority=1,
            rule_id=sql_injection_rule.id
        ),
        aws.waf.WebAclRuleArgs(
            action=aws.waf.WebAclRuleActionArgs(
                type="BLOCK"
            ),
            priority=2,
            rule_id=xss_match_rule.id
        )
    ]
)

# Export the ID of the Web ACL to be used with other AWS services like API Gateway or ALB
pulumi.export("web_acl_id", web_acl.id)
```

### Explanation:

In this program:

- We first set up two match sets: one for SQL injection patterns and one for XSS patterns. They look at different parts of the request (the query string and the body, respectively).
- Then we create two AWS WAF rules that reference these match sets and specify the "BLOCK" action if the conditions of the match sets are met.
- Finally, we create a `WebAcl` and associate our rules with it. The default action is "ALLOW," which means that if a request does not match any rules, it will be allowed.
- We export the ID of the `WebAcl` so that it can be referenced in other parts of our AWS infrastructure.

Remember to replace `"webAcl"` and other `name` parameters with unique names that fit your naming conventions.

Please note, holding this configuration under version control ensures you can track changes to your security rules over time. You can expand upon this example by adding more sophisticated rules, rate-based rules to protect against DDoS attacks, and more. Before running this, ensure you have set up your AWS credentials for Pulumi to use.