Skip to content

Latest commit

 

History

History
455 lines (271 loc) · 21 KB

API.md

File metadata and controls

455 lines (271 loc) · 21 KB
Raw

API Reference

Constructs

CdkWafGeoLib

Initializers 

import { CdkWafGeoLib } from 'cdk-aws-wafv2-geofence-lib'

new CdkWafGeoLib(scope: Construct, id: string, props: ICdkWafGeoLibProps)
Name Type Description
scope constructs.Construct No description.
id string No description.
props ICdkWafGeoLibProps No description.
scopeRequired
  • Type: constructs.Construct
idRequired
  • Type: string
propsRequired

Methods

Name Description
toString Returns a string representation of this construct.
toString 
public toString(): string

Returns a string representation of this construct.

Static Functions

Name Description
isConstruct Checks if x is a construct.
isConstruct 
import { CdkWafGeoLib } from 'cdk-aws-wafv2-geofence-lib'

CdkWafGeoLib.isConstruct(x: any)

Checks if x is a construct.

xRequired
  • Type: any

Any object.

Properties

Name Type Description
node constructs.Node The tree node.
customResourceResult string No description.
nodeRequired 
public readonly node: Node;
  • Type: constructs.Node

The tree node.

customResourceResultOptional 
public readonly customResourceResult: string;
  • Type: string

Protocols

ICdkWafGeoLibProps

Properties

Name Type Description
allowedCountiesToAccessService string[] Allowed countries to access the backend - for example DE, EN, DK.
deployChatGPTBlocking boolean Switch to control if the rule should let ChatGPT block or count incomming requests.
enableAWSManagedRulesBlocking boolean Switch to control if the rule should block or count incomming requests hitting the AWS Manged Rules.
enableChatGPTBlocking boolean Deploy ChatGPT blocking infrastructure e.g. DynamoDB, Lambdas, CW Rules.
enableGeoBlocking boolean Switch to control if the rule should block or count incomming requests.
priority number Priority of the WAFv2 rule.
resourceArn string Arn of the ressource to protect.
block boolean Deprecated: - use enableGeoBlocking Switch to control if the rule should block or count incomming requests.
cloudWatchLogGroupName string Name of the CloudWatch LogGroup where requests are stored.
enableAWSManagedRuleCRS boolean The Core rule set (CRS) rule group contains rules that are generally applicable to web applications.
enableAWSMangedRuleAdminProtect boolean The Admin protection rule group contains rules that allow you to block external access to exposed administrative pages.
enableAWSMangedRuleAnonIP boolean The Anonymous IP list rule group contains rules to block requests from services that permit the obfuscation of viewer identity.
enableAWSMangedRuleIPRep boolean The Amazon IP reputation list rule group contains rules that are based on Amazon internal threat intelligence.
enableAWSMangedRuleKBI boolean The Known bad inputs rule group contains rules to block request patterns that are known to be invalid and are associated with exploitation or discovery of vulnerabilities.
enableAWSMangedRuleLinuxProtect boolean The Linux operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to Linux, including Linux-specific Local File Inclusion (LFI) attacks.
enableAWSMangedRulePHPProtect boolean The PHP application rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to the use of the PHP programming language, including injection of unsafe PHP functions.
enableAWSMangedRuleSQLi boolean The SQL database rule group contains rules to block request patterns associated with exploitation of SQL databases, like SQL injection attacks.
enableAWSMangedRuleUnixProtect boolean The POSIX operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to POSIX and POSIX-like operating systems, including Local File Inclusion (LFI) attacks.
enableAWSMangedRuleWindowsProtect boolean The Windows operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to Windows, like remote execution of PowerShell commands.
enableAWSMangedRuleWorkpressProtect boolean The WordPress application rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to WordPress sites.
enableCloudWatchLogs boolean Sends logs to a CloudWatch LogGroup with a retention on it.
retentionDays aws-cdk-lib.aws_logs.RetentionDays Retention period to keep logs.
snsNotificationArn string SNS Topic Arn of for sending notifications about ChatGPT Blocking results.
allowedCountiesToAccessServiceRequired 
public readonly allowedCountiesToAccessService: string[];
  • Type: string[]

Allowed countries to access the backend - for example DE, EN, DK.

deployChatGPTBlockingRequired 
public readonly deployChatGPTBlocking: boolean;
  • Type: boolean

Switch to control if the rule should let ChatGPT block or count incomming requests.

enableAWSManagedRulesBlockingRequired 
public readonly enableAWSManagedRulesBlocking: boolean;
  • Type: boolean

Switch to control if the rule should block or count incomming requests hitting the AWS Manged Rules.

enableChatGPTBlockingRequired 
public readonly enableChatGPTBlocking: boolean;
  • Type: boolean

Deploy ChatGPT blocking infrastructure e.g. DynamoDB, Lambdas, CW Rules.

enableGeoBlockingRequired 
public readonly enableGeoBlocking: boolean;
  • Type: boolean

Switch to control if the rule should block or count incomming requests.

priorityRequired 
public readonly priority: number;
  • Type: number

Priority of the WAFv2 rule.

resourceArnRequired 
public readonly resourceArn: string;
  • Type: string

Arn of the ressource to protect.

blockOptional 
public readonly block: boolean;
  • Type: boolean

Deprecated: - use enableGeoBlocking Switch to control if the rule should block or count incomming requests.

cloudWatchLogGroupNameOptional 
public readonly cloudWatchLogGroupName: string;
  • Type: string

Name of the CloudWatch LogGroup where requests are stored.

enableAWSManagedRuleCRSOptional 
public readonly enableAWSManagedRuleCRS: boolean;
  • Type: boolean

The Core rule set (CRS) rule group contains rules that are generally applicable to web applications.

This provides protection against exploitation of a wide range of vulnerabilities, including some of the high risk and commonly occurring vulnerabilities described in OWASP publications such as OWASP Top 10. Consider using this rule group for any AWS WAF use case.

enableAWSMangedRuleAdminProtectOptional 
public readonly enableAWSMangedRuleAdminProtect: boolean;
  • Type: boolean

The Admin protection rule group contains rules that allow you to block external access to exposed administrative pages.

This might be useful if you run third-party software or want to reduce the risk of a malicious actor gaining administrative access to your application.

enableAWSMangedRuleAnonIPOptional 
public readonly enableAWSMangedRuleAnonIP: boolean;
  • Type: boolean

The Anonymous IP list rule group contains rules to block requests from services that permit the obfuscation of viewer identity.

These include requests from VPNs, proxies, Tor nodes, and hosting providers. This rule group is useful if you want to filter out viewers that might be trying to hide their identity from your application. Blocking the IP addresses of these services can help mitigate bots and evasion of geographic restrictions.

enableAWSMangedRuleIPRepOptional 
public readonly enableAWSMangedRuleIPRep: boolean;
  • Type: boolean

The Amazon IP reputation list rule group contains rules that are based on Amazon internal threat intelligence.

This is useful if you would like to block IP addresses typically associated with bots or other threats. Blocking these IP addresses can help mitigate bots and reduce the risk of a malicious actor discovering a vulnerable application.

enableAWSMangedRuleKBIOptional 
public readonly enableAWSMangedRuleKBI: boolean;
  • Type: boolean

The Known bad inputs rule group contains rules to block request patterns that are known to be invalid and are associated with exploitation or discovery of vulnerabilities.

This can help reduce the risk of a malicious actor discovering a vulnerable application.

enableAWSMangedRuleLinuxProtectOptional 
public readonly enableAWSMangedRuleLinuxProtect: boolean;
  • Type: boolean

The Linux operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to Linux, including Linux-specific Local File Inclusion (LFI) attacks.

This can help prevent attacks that expose file contents or run code for which the attacker should not have had access. You should evaluate this rule group if any part of your application runs on Linux. You should use this rule group in conjunction with the POSIX operating system rule group.

enableAWSMangedRulePHPProtectOptional 
public readonly enableAWSMangedRulePHPProtect: boolean;
  • Type: boolean

The PHP application rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to the use of the PHP programming language, including injection of unsafe PHP functions.

This can help prevent exploitation of vulnerabilities that permit an attacker to remotely run code or commands for which they are not authorized. Evaluate this rule group if PHP is installed on any server with which your application interfaces.

enableAWSMangedRuleSQLiOptional 
public readonly enableAWSMangedRuleSQLi: boolean;
  • Type: boolean

The SQL database rule group contains rules to block request patterns associated with exploitation of SQL databases, like SQL injection attacks.

This can help prevent remote injection of unauthorized queries. Evaluate this rule group for use if your application interfaces with an SQL database.

enableAWSMangedRuleUnixProtectOptional 
public readonly enableAWSMangedRuleUnixProtect: boolean;
  • Type: boolean

The POSIX operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to POSIX and POSIX-like operating systems, including Local File Inclusion (LFI) attacks.

This can help prevent attacks that expose file contents or run code for which the attacker should not have had access. You should evaluate this rule group if any part of your application runs on a POSIX or POSIX-like operating system, including Linux, AIX, HP-UX, macOS, Solaris, FreeBSD, and OpenBSD.

enableAWSMangedRuleWindowsProtectOptional 
public readonly enableAWSMangedRuleWindowsProtect: boolean;
  • Type: boolean

The Windows operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to Windows, like remote execution of PowerShell commands.

This can help prevent exploitation of vulnerabilities that permit an attacker to run unauthorized commands or run malicious code. Evaluate this rule group if any part of your application runs on a Windows operating system.

enableAWSMangedRuleWorkpressProtectOptional 
public readonly enableAWSMangedRuleWorkpressProtect: boolean;
  • Type: boolean

The WordPress application rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to WordPress sites.

You should evaluate this rule group if you are running WordPress. This rule group should be used in conjunction with the SQL database and PHP application rule groups.

enableCloudWatchLogsOptional 
public readonly enableCloudWatchLogs: boolean;
  • Type: boolean

Sends logs to a CloudWatch LogGroup with a retention on it.

If enabled you also get a CloudWatch Dashboard.

retentionDaysOptional 
public readonly retentionDays: RetentionDays;
  • Type: aws-cdk-lib.aws_logs.RetentionDays

Retention period to keep logs.

ONE_MONTH is default.

snsNotificationArnOptional 
public readonly snsNotificationArn: string;
  • Type: string

SNS Topic Arn of for sending notifications about ChatGPT Blocking results.