1. Answers
  2. AWS WAF bot control

How do I manage bot control using AWS Web Application Firewall (WAF)?

To manage bot control using AWS Web Application Firewall (WAF) with Pulumi, you will create a web ACL (Access Control List) that includes a bot control rule. This rule will help mitigate unwanted web traffic generated by automated programs.

Detailed Explanation:

  1. Provider Configuration:

    • Configures the AWS provider to define the region where resources will be deployed.
  2. Web ACL Resource:

    • A web ACL is created to define rules and associate them with AWS resources.
  3. Bot Control Rule:

    • A managed rule group from AWS that detects and handles automated bot traffic.
  4. Web ACL Association:

    • Associates the web ACL with specific AWS resources, such as an Application Load Balancer.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create the AWS WAF Web ACL
const example = new aws.wafv2.WebAcl("example", {
    name: "example-web-acl",
    description: "Web ACL to control bot traffic",
    scope: "REGIONAL",
    defaultAction: {
        allow: {},
    },
    visibilityConfig: {
        cloudwatchMetricsEnabled: true,
        metricName: "webACL",
        sampledRequestsEnabled: true,
    },
    rules: [{
        name: "AWSManagedRulesBotControlRuleSet",
        priority: 1,
        statement: {
            managedRuleGroupStatement: {
                name: "AWSManagedRulesBotControlRuleSet",
                vendorName: "AWS",
            },
        },
        overrideAction: {
            none: {},
        },
        visibilityConfig: {
            cloudwatchMetricsEnabled: true,
            metricName: "awsManagedBotControl",
            sampledRequestsEnabled: true,
        },
    }],
    tags: {
        Name: "example-web-acl",
    },
});
// Example VPC for the Security Group
const exampleVpc = new aws.ec2.Vpc("example", {
    cidrBlock: "10.0.0.0/16",
    tags: {
        Name: "example-vpc",
    },
});
// Example Security Group for the Load Balancer
const lbSg = new aws.ec2.SecurityGroup("lb_sg", {
    name: "example-lb-sg",
    description: "Security group for the load balancer",
    vpcId: exampleVpc.id,
    ingress: [{
        fromPort: 80,
        toPort: 80,
        protocol: "tcp",
        cidrBlocks: ["0.0.0.0/0"],
    }],
    egress: [{
        fromPort: 0,
        toPort: 0,
        protocol: "-1",
        cidrBlocks: ["0.0.0.0/0"],
    }],
});
// Example Subnets for the Load Balancer
const public1 = new aws.ec2.Subnet("public1", {
    vpcId: exampleVpc.id,
    cidrBlock: "10.0.1.0/24",
    availabilityZone: "us-west-2a",
    tags: {
        Name: "example-public-subnet-1",
    },
});
const public2 = new aws.ec2.Subnet("public2", {
    vpcId: exampleVpc.id,
    cidrBlock: "10.0.2.0/24",
    availabilityZone: "us-west-2b",
    tags: {
        Name: "example-public-subnet-2",
    },
});
// Optional: Associate the web ACL with an AWS resource, e.g., an Application Load Balancer
const exampleLoadBalancer = new aws.lb.LoadBalancer("example", {
    name: "example-lb",
    internal: false,
    loadBalancerType: "application",
    securityGroups: [lbSg.id],
    subnets: [
        public1.id,
        public2.id,
    ],
    enableDeletionProtection: false,
});
// Web ACL and Load Balancer Association
const exampleWebAclAssociation = new aws.wafv2.WebAclAssociation("example", {
    resourceArn: exampleLoadBalancer.arn,
    webAclArn: example.arn,
});

Summary:

In this example, an AWS WAF web ACL is created with a bot control rule to detect and handle automated traffic. This web ACL is then associated with an Application Load Balancer, ensuring that the bot control rules apply to the traffic directed to this resource. The necessary networking components are also defined, including VPC, subnets, and a security group.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up