79503159

Date: 2025-03-12 09:41:52
Score: 1
Natty:
Report link

There are 2 ways to achieve this, one using an ALLOW rule the other is using WAF Labels

ALLOW rule would be easier but would not be as customizable as WAF Labels and my personal opinion WAF Labels would be the more proper way of implementing this

Allow Rules

Create a rule with the following JSON

{
  "Name": "Whitelist-IP-Bypass-WAF",
  "Priority": 0,
  "Action": {
    "Allow": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "Whitelist-IP-Bypass-WAF"
  },
  "Statement": {
    "IPSetReferenceStatement": {
      "ARN": "arn:aws:wafv2:ap-southeast-1:123456789012:regional/ipset/whitelisted-ip-set/12345678-90ab-cdef-0123-4567890abcd"
    }
  }
}

Then add the rule to the webacl as follow

enter image description here

You can also use a rule-group but the point is that it needs to be in a lower priority than your managed rule set

Allow Listing by WAF Labels

Another option is that you need to override the managed rule set to count

enter image description here

Then add the following rule

Using Namespace

{
  "Name": "Block-Non-Whitelisted-IP-with-Core-rule-set-label",
  "Priority": 4,
  "Action": {
    "Block": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "Block-Non-Whitelisted-IP-with-Core-rule-set-label"
  },
  "Statement": {
    "AndStatement": {
      "Statements": [
        {
          "LabelMatchStatement": {
            "Scope": "NAMESPACE",
            "Key": "awswaf:managed:aws:core-rule-set:"
          }
        },
        {
          "NotStatement": {
            "Statement": {
              "IPSetReferenceStatement": {
                "ARN": "arn:aws:wafv2:ap-southeast-1:123456789012:regional/ipset/whitelisted-ip-set/12345678-90ab-cdef-0123-4567890abcd"
              }
            }
          }
        }
      ]
    }
  }
}

Using Label

{
  "Name": "Block-Non-Whitelisted-IP-with-Core-rule-set-label",
  "Priority": 4,
  "Statement": {
    "AndStatement": {
      "Statements": [
        {
          "LabelMatchStatement": {
            "Scope": "LABEL",
            "Key": "awswaf:managed:aws:core-rule-set:CrossSiteScripting_URIPath"
          }
        },
        {
          "NotStatement": {
            "Statement": {
              "IPSetReferenceStatement": {
                "ARN": "arn:aws:wafv2:ap-southeast-1:123456789012:regional/ipset/whitelisted-ip-set/12345678-90ab-cdef-0123-4567890abcd"
              }
            }
          }
        }
      ]
    }
  },
  "Action": {
    "Block": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "Block-Non-Whitelisted-IP-with-Core-rule-set-label"
  }
}

This approach is much more versatile since you can match a specific Namespace or Label. But you do need to note that you need to create a rule for each of the ManagedRule that you have

So in the example above you would need to create a rule for awswaf:managed:aws:core-rule-set: , awswaf:managed:aws:known-bad-inputs: and awswaf:managed:aws:amazon-ip-list:

For a full list of WAF Label you refer to this documentation: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html

References:

Reasons:
  • Blacklisted phrase (1): this document
  • Probably link only (1):
  • Long answer (-1):
  • Has code block (-0.5):
  • Low reputation (0.5):
Posted by: Vincent Tjianattan