post: Convert AWS WAF ACLs to human-readable format

2021-06-27 07:53:55 +00:00 · 2021-06-27 07:53:55 +00:00 · 54c63d1b7b
parent 77880d307b
commit 54c63d1b7b
1 changed files with 164 additions and 0 deletions
--- a/source/_posts/aws-waf.md
+++ b/source/_posts/aws-waf.md
@ -0,0 +1,164 @@
+---
+title: Convert AWS WAF ACLs to human-readable format
+excerpt: Run the attached script to download and convert ACLs
+date: 2021-06-27
+tags:
+- aws
+- security
+---
+
+I regularly need to audit my company's access control lists (ACLs) implemented in AWS WAF, as part of my job. Each ACL can be more than a thousand lines which is practically impossible to read. I wrote a script that downloads and summarises the ACLs into human-readable format; each one-thousand-line behemoth is transformed into a fifty-line summary that I can _actually_ audit.
+
+The script is [available here](/files/20210627/waf-acl.py). It currently only supports Cloudfront ACL, feel free to extend it to support regional ACL.
+
+```
+./waf-acl.py {profile-name} --directory output-dir --original
+```
+
+**profile-name**: The profile name as listed in "~/.aws/credentials".
+**directory**: Output directory. It will be created if not exist. Defaults to current folder.
+**original**: Preserve the original ACL after conversion and save it with "-original" suffix.
+
+## ACL schema
+
+The underlying format of a web ACL is JSON. In this use case, I'm only concern with two keys:
+
+``` json
+{
+  "Name": "",
+  "Rules": [
+    {
+      "Name": "",
+      "Statement": {},
+      "Action": {
+        "Block": {}
+      }
+    },
+    {
+      "Name": "",
+      "Statement": {},
+      "Action": {
+        "Allow": {}
+      }
+    }]
+}
+```
+
+The script names each ACL according to the value of "Name". "Rules" is an array of objects, where each object represents a rule. Each rule has an [action](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-action.html) of count, allow or block.
+
+In each rule, there is a statement and it functions as a matching condition. Each [statement](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statements-list.html) can contain one or match statements combined using logical rule (AND, NOT, OR).
+
+## Converted schema
+
+A converted ACL has an array of objects, each object has three keys.
+
+``` json
+[
+  {
+    "Name": "",
+    "Action": "",
+    "Rule": ""
+  }
+]
+```
+
+## And/OrStatement
+
+``` json Original
+{
+  "Name": "ruleA",
+  "Statement": {
+    "OrStatement": {
+      "Statements": [
+        {
+          "foo": {}
+        },
+        {
+          "bar": {}
+        }
+      ]
+    }
+  }
+}
+```
+
+``` json Converted
+{
+  "ruleA": "foo OR bar"
+}
+```
+
+## Nested And/OrStatement
+
+``` json Original
+{
+  "Name": "ruleA",
+  "Statement": {
+    "AndStatement": {
+      "Statements": [
+        {
+          "OrStatement": {
+            "Statements": [
+              {
+                "foo": {}
+              },
+              {
+                "bar": {}
+              }
+            ]
+          }
+        },
+        {
+          "baz": {}
+        }
+      ]
+    }
+  }
+}
+```
+
+``` json Converted
+{
+  "ruleA": "(foo OR bar) AND baz"
+}
+```
+
+## NotStatement
+
+``` json Original
+{
+  "Name": "ruleA",
+  "Statement": {
+    "NotStatement": {
+      "Statement": {
+        "foo": {}
+      }
+    }
+  }
+}
+```
+
+``` json Converted
+{
+  "ruleA": "NOT foo"
+}
+```
+
+
+## String match
+
+``` json Orignal
+{
+  "ByteMatchStatement": {
+    "SearchString": ".conf",
+    "FieldToMatch": {
+      "UriPath": {}
+    },
+    "PositionalConstraint": "ENDS_WITH"
+  }
+}
+```
+
+``` plain Converted
+UriPath=ENDSWITH(.conf)
+```