Real-Time Threat Detection in AI Applications with AWS WAF

Question

Pulumi · Accepted Answer

To set up real-time threat detection for AI applications in AWS, you can use the AWS Web Application Firewall (WAF) to monitor the HTTP and HTTPS requests that are forwarded to an Amazon API Gateway API, an Amazon CloudFront distribution, or an Application Load Balancer. AWS WAF also allows you to control access to your content. You can create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application.

In the following Pulumi program, we will create an AWS WAF WebAcl resource, which acts as a set of rules that we can apply to the CloudFront distribution, API Gateway, or Application Load Balancer to control web traffic. The `WebAcl` will contain rules that specify conditions like IP addresses, HTTP headers, HTTP body, or URI strings that trigger AWS WAF to block, allow, or count the requests.

Here is what each part of the program does:

1. **Create a Web Application Firewall (WAF) ACL:**  This includes a default action for requests that do not match any rules (`allow` in this case), and includes rules (like the ones for rate limiting and SQL injection detection).

2. **Define WAF Rules:** These are the individual rules that make up the WebAcl. They can match patterns like specific strings in queries, headers, IP addresses, etc., and define actions to take on matched requests.

3. **Deploy an Application Load Balancer (ALB):** This isn't directly related to WAF, but you would typically attach the WAF ACL to an ALB to protect the applications behind it.

4. **Associate the WebACL:** Finally, we associate the WebACL with the ALB to put our WAF into effect for the applications behind our ALB.

Remember that for a real deployment, you should carefully plan and configure each rule according to your specific application's needs, including adding rules for common web vulnerabilities and adjusting the default action to your requirements.

Below is a basic Pulumi Python program that demonstrates how to set this up:

```python
import pulumi
import pulumi_aws as aws

# Create WAFv2 IP Set for any IP-based conditions
ip_set = aws.wafv2.IpSet("exampleIpSet",
    addresses=[
        "192.0.7.0/24",
        "10.0.0.0/8",
    ],
    ip_address_version="IPV4",
    scope="REGIONAL"
)

# Create a WebACL that points to the latest available managed rule groups.
web_acl = aws.wafv2.WebAcl("exampleWebAcl",
    default_action={"allow": {}},
    scope="REGIONAL",
    visibility_config={
        "sampled_requests_enabled": True,
        "cloudwatch_metrics_enabled": True,
        "metric_name": "example",
    },
    rules=[
        {
            "name": "Rule1",
            "priority": 1,
            "action": {
                "block": {}
            },
            "statement": {
                "ip_set_reference_statement": {
                    "arn": ip_set.arn
                }
            },
            "visibility_config": {
                "sampled_requests_enabled": True,
                "cloudwatch_metrics_enabled": True,
                "metric_name": "exampleRule1",
            }
        },
        {
            "name": "RateLimitRule",
            "priority": 2,
            "action": {
                "block": {}
            },
            "statement": {
                "rate_based_statement": {
                    "limit": 1000,
                    "aggregate_key_type": "IP"
                }
            },
            "visibility_config": {
                "sampled_requests_enabled": True,
                "cloudwatch_metrics_enabled": True,
                "metric_name": "RateLimitRule",
            }
        }
    ]
)

# Depending on where you want to associate this WebACL, you would associate it with the resource.
# Below, we just define a WebACL without associating it with a specific resource. For actual use, you would
# associate it with resources like CloudFront, API Gateway, or an Application Load Balancer.

# Output the ID of the WebACL to be used in other parts of our infrastructure
pulumi.export('web_acl_id', web_acl.id)
```

In this program:

- We create an IP set that defines a set of IP addresses that we want to filter on. We name it 'exampleIpSet'.
- We then create a WebACL named 'exampleWebAcl' with a default action to allow requests. It logs sampled requests and CloudWatch metrics for visibility.
- Inside the WebACL, we define two rules. The first rule named 'Rule1' blocks requests from the IPs we defined in 'exampleIpSet'. The second rule named 'RateLimitRule' sets up rate-based blocking to protect against DDoS attacks.
- Finally, we export the `web_acl_id` that can be used to associate the WebACL with other AWS resources like an Application Load Balancer (ALB), Amazon CloudFront distribution, or Amazon API Gateway.

To proceed further, you would typically continue to add more rules for SQL injection, XSS, and more, based on the [available managed rule groups](https://www.pulumi.com/registry/packages/aws/api-docs/wafv2/webacl/#managedrulegroupstatement) or define your own custom rules.

This is a basic setup and starting point. Always refer to the official AWS WAF documentation and tailor the rules to match the specific needs of your application.