Skip to content

[Fix] 취약점 스캐닝, 크롤링 방지 장기 대응 작업 #200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lvalentine6 merged 3 commits into from
Sep 20, 2025
Merged

[Fix] 취약점 스캐닝, 크롤링 방지 장기 대응 작업 #200

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
14aa0e8
feat: waf 추가 및 alb 연동
lvalentine6 Sep 20, 2025
488c772
feat: waf 로그 그룹 추가
lvalentine6 Sep 20, 2025
f1355b0
fix: prod Infrastructure Metrics 수집하도록 수정
lvalentine6 Sep 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions terraform/common/locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ data "aws_region" "current" {}
locals {
group_name = "power"
project_name = "eatda"
admin_email = "yappweb1server@gmail.com"

policy_arns = [
"arn:aws:iam::aws:policy/AdministratorAccess",
Expand Down Expand Up @@ -248,3 +249,7 @@ locals {
}
}
}

locals {
request_threshold = 200
}
24 changes: 24 additions & 0 deletions terraform/common/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,3 +51,27 @@ module "alb" {
certificate_arn = module.route53.certificate_arn
certificate_validation_complete = module.route53.certificate_validation_complete
}

module "waf" {
source = "./waf"
project_name = local.project_name
request_threshold = local.request_threshold
tags = local.common_tags
}

resource "aws_wafv2_web_acl_association" "this" {
resource_arn = module.alb.alb_arn
web_acl_arn = module.waf.web_acl_arn
}

resource "aws_cloudwatch_log_group" "waf_logs" {
name = "aws-waf-logs-${local.project_name}"
retention_in_days = 7

tags = local.common_tags
}

resource "aws_wafv2_web_acl_logging_configuration" "this" {
log_destination_configs = [trimsuffix(aws_cloudwatch_log_group.waf_logs.arn, ":*")]
resource_arn = module.waf.web_acl_arn
}
156 changes: 156 additions & 0 deletions terraform/common/waf/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
resource "aws_wafv2_web_acl" "this" {
name = "${var.project_name}-web-acl"
scope = "REGIONAL"

default_action {
allow {}
}

# Rate-based Rule (HTTP Flood)
rule {
name = "Rate-Limit-Rule"
priority = 1
action {
block {}
}
statement {
rate_based_statement {
limit = var.request_threshold
aggregate_key_type = "IP"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "rate-limit-rule"
sampled_requests_enabled = true
}
}

# AWS Managed Core Rule Set
rule {
name = "AWS-Managed-Core-Rule-Set"
priority = 10
override_action {
none {}
}
statement {
managed_rule_group_statement {
vendor_name = "AWS"
name = "AWSManagedRulesCommonRuleSet"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "aws-managed-common"
sampled_requests_enabled = true
}
}

# Scanners & Probes Protection
rule {
name = "AWS-Managed-Known-Bad-Inputs-Rule-Set"
priority = 20
override_action {
none {}
}
statement {
managed_rule_group_statement {
vendor_name = "AWS"
name = "AWSManagedRulesKnownBadInputsRuleSet"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "aws-managed-bad-inputs"
sampled_requests_enabled = true
}
}

# Reputation Lists Protection
rule {
name = "AWS-Managed-Amazon-IP-Reputation-List"
priority = 30
override_action {
none {}
}
statement {
managed_rule_group_statement {
vendor_name = "AWS"
name = "AWSManagedRulesAmazonIpReputationList"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "aws-managed-ip-rep"
sampled_requests_enabled = true
}
}

# Bad Bot Protection
rule {
name = "AWS-Managed-Bot-Control-Rule-Set"
priority = 40
override_action {
none {}
}
statement {
managed_rule_group_statement {
vendor_name = "AWS"
name = "AWSManagedRulesBotControlRuleSet"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "aws-managed-bot-control"
sampled_requests_enabled = true
}
}
Comment on lines +89 to +107
Copy link

@coderabbitai coderabbitai bot Sep 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

❓ Verification inconclusive

Bot Control 규칙의 비용 영향을 고려하세요.

Bot Control은 추가 비용이 발생하는 기능으로, 월 $1의 구독료 외에도 요청당 추가 요금이 부과됩니다. Common Bot Control은 첫 1천만 요청이 무료이지만, Targeted Bot Control은 첫 100만 요청만 무료입니다.

Bot Control 기능의 필요성과 예상 비용을 검토하시기 바랍니다. 트래픽 볼륨에 따라 상당한 비용이 발생할 수 있습니다:

🌐 Web query:

AWS WAF Bot Control pricing 2025 common vs targeted costs

💡 Result:

Short answer — pricing (as of AWS pricing page):

  • Monthly subscription: Bot Control rule group = $10.00 per Web ACL (prorated hourly). [1]
  • Common Bot Control: first 10 million requests per month free; additional requests billed at $1.00 per million requests. [1]
  • Targeted Bot Control: first 1 million requests per month free; additional requests billed at $10.00 per million requests. [1]

Practical notes:

  • Use a scope‑down statement to limit what Bot Control inspects to reduce costs (e.g., apply to login paths only). [2]
  • Region pricing may vary — always confirm the AWS WAF pricing page for your region and month. [1][2]

Sources: AWS WAF pricing and AWS WAF cost guidance. [1][2]

Bot Control 규칙 비용 검토

File: terraform/common/waf/main.tf (Lines 89–107)

AWS WAF Bot Control은 Web ACL당 월 구독료 $10(시간 단위 비례 청구)과 다음 요청당 요금을 부과합니다:

  • Common Bot Control: 매월 첫 1천만 요청 무료, 초과분은 백만 요청당 $1
  • Targeted Bot Control: 매월 첫 100만 요청 무료, 초과분은 백만 요청당 $10

트래픽 규모에 따라 비용이 크게 증가할 수 있으므로 scope-down statement를 도입해 검사 대상을 제한하는 등 Bot Control 기능의 필요성과 예상 비용을 꼼꼼히 검토하세요.

🤖 Prompt for AI Agents 
In terraform/common/waf/main.tf around lines 89 to 107, the
AWSManagedRulesBotControlRuleSet is added without a scope-down statement or
limiting conditions which may incur significant Bot Control subscription and
per-request costs; update the managed_rule_group_statement to include an
appropriate scope_down_statement (e.g., a statement that restricts inspection to
specific paths, IP sets, or headers) to limit which requests are evaluated,
and/or add a variable to toggle Bot Control on/off and document expected
usage/costs so the rule is only enabled for intended traffic patterns.


# Anonymous IP list
rule {
name = "AWS-Managed-Anonymous-IP-List"
priority = 50
override_action {
none {}
}
statement {
managed_rule_group_statement {
vendor_name = "AWS"
name = "AWSManagedRulesAnonymousIpList"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "aws-managed-anonymous-ip"
sampled_requests_enabled = true
}
}

# SQL database
rule {
name = "AWS-Managed-SQLi-Rule-Set"
priority = 60
override_action {
none {}
}
statement {
managed_rule_group_statement {
vendor_name = "AWS"
name = "AWSManagedRulesSQLiRuleSet"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "aws-managed-sql-db"
sampled_requests_enabled = true
}
}

visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "${var.project_name}-web-acl"
sampled_requests_enabled = true
}

tags = var.tags
}
3 changes: 3 additions & 0 deletions terraform/common/waf/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
output "web_acl_arn" {
value = aws_wafv2_web_acl.this.arn
}
12 changes: 12 additions & 0 deletions terraform/common/waf/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
variable "project_name" {
type = string
}

variable "request_threshold" {
type = number
description = "Rate-Limit 규칙에 적용할 5분당 IP별 최대 요청 수"
}

variable "tags" {
type = map(string)
}
5 changes: 4 additions & 1 deletion terraform/prod/terraform.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ ecs_services = {
datadog = {
task_definition = "datadog"
launch_type = "EC2"
scheduling_strategy = "REPLICA"
scheduling_strategy = "DAEMON"
}
}

Expand Down Expand Up @@ -49,6 +49,9 @@ ecs_task_definitions_base = {
DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL = "true"
DD_APM_RECEIVER_PORT = "8126"
DD_APM_NON_LOCAL_TRAFFIC = "true"
DD_EC2_USE_IMDSV2 = "true"
DD_COLLECT_EC2_TAGS = "true"
DD_COLLECT_EC2_METADATA = "true"
DD_SERVICE = "eatda-api-prod"
DD_ENV = "prod"
DD_VERSION = "v1"
Expand Down