Re: SOAR AWS WAF module

VivekPuthan · 12-19-2024 01:30 AM

I integrated AWS WAF response module with the default region as us-central-1, for other region it is showing an error. I have integrated one AWS account with this module and while executing action for example- List IP Sets. The module is only able to list CLOUDFRONT - IP sets only. But we have IP sets configures in eu-central-1. When I give scope as regional - the module is not able to list regional IP sets in that acccount. Some one please help if something needs to be done on AWS side ? or anything needs to be done on SecOps side.

kentphelps

The problem is likely due to the AWS WAF response module's default region being set to us-central-1.

It's only accessing resources within that region. To access IP sets in eu-central-1, you need to either:

1. AWS Side (Recommended):

Configure the module for multiple regions: The module should be configured to access the eu-central-1 region as well. This might involve adding the region to the module's configuration or specifying it when calling the ListIPSets action. Consult the AWS WAF documentation for the correct method.
Centralize IP Sets: Consider using AWS Firewall Manager to centrally manage your IP sets across all regions.

This simplifies management and ensures consistency.

2. SecOps Side:

Verify Module Configuration: Double-check the module's configuration to ensure it's correctly set up to access the eu-central-1 region. Look for any region-specific settings.
Check Permissions: Ensure the IAM role associated with the module has the necessary permissions to access WAF resources in eu-central-1. This includes the waf:ListIPSets permission.
Network Connectivity: Verify that the system running the module has proper network connectivity to the eu-central-1 region.

Troubleshooting Steps:

Test with AWS CLI: Use the AWS CLI to directly interact with WAF in eu-central-1. This helps isolate whether the problem is with the module or AWS itself.
Check AWS WAF Logs: Examine the AWS WAF logs for any error messages related to accessing resources in eu-central-1.
Review IAM Role Policy: Analyze the IAM role policy attached to the module to confirm it has the required permissions.

Start with the AWS side configuration changes (option 1) as they are more likely to resolve the issue. If that doesn't work, then investigate the SecOps side (option 2). Remember to consult the official AWS WAF documentation for detailed instructions and best practices.

VivekPuthan

Configure the module for multiple regions: The module should be configured to access the eu-central-1 region as well. This might involve adding the region to the module's configuration or specifying it when calling the ListIPSets action. Consult the AWS WAF documentation for the correct method.

Could you please clarify what the module is that you are refferring here?

VivekPuthan

In addition to that, I believe the issue with your module what is preventing it from working in other regions besides us-east-1 is because the test_connectivity function in the AWSWAFManager module on line 90 is using the hardcoded scope of CLOUDFRONT. This is effectively preventing the connectivity test from succeeding in any region other than us-east-1.

Could you consider please changing this variable to use whichever variable is being defined by the user in the Action parameters

VivekPuthan

@kentphelps A gentle reminder !!

kentphelps

Sorry - you need to make sure the AWF WAF is configured for multiple regions. You need to talk with the AWS admin that configures the WAF to take care of this.

VivekPuthan

Hello @kentphelps, in our case, AWS WAF is configured in local region as well. But unfortunately SecOps can't do any action on regional resources related to WAF for example access IP sets, or add IPs into an IP set.