post(aws-waf): regional ACL

- style: standardise edit date
This commit is contained in:
Ming Di Leom 2021-09-01 09:19:18 +00:00
parent d5093b21f4
commit c5594e4a3e
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
3 changed files with 5 additions and 3 deletions

View File

@ -2,7 +2,7 @@
title: Convert AWS WAF ACLs to human-readable format
excerpt: Run the attached script to download and convert ACLs
date: 2021-06-27
updated: 2021-07-23
updated: 2021-09-01
tags:
- aws
- security
@ -12,6 +12,8 @@ I regularly need to audit my company's access control lists (ACLs) implemented i
The script is [available here](https://gitlab.com/curben/aws-scripts/-/blob/main/waf-acl.py). It currently only supports Cloudfront ACL, feel free to extend it to support regional ACL.
(Edit: 1 Sep 2021) regional ACL is now supported.
## ACL schema
The underlying format of a web ACL is JSON. In this use case, I'm only concern with two keys:

View File

@ -39,7 +39,7 @@ This website's JAMstack workflow goes like this:
4. Markdown files are processed into HTML pages using Nodejs-powered Hexo.
5. Generated pages are hosted on curben.netlify.app
_(Edit 22 Feb 2021: static site is now hosted primarily on Cloudflare Pages curben.pages.dev, with Netlify as a standby)_
(Edit: 22 Feb 2021) static site is now hosted primarily on Cloudflare Pages curben.pages.dev, with Netlify as a standby.
Right off the bat I can already see the need of setting up a private server due to the second requirement (ability to remove HTTP header). I had an option to drop Netlify by building the pages on my workstation and deploy to the web server (using a Hexo deployer plugin). So far I do find Netlify service to be reliable and it offers features like adding headers and reverse proxy which are easy to setup. Speaking of Netlify's features, I then had an idea of setting up a web server which reverse proxy to Netlify. This approach meets all the four requirements; a side-benefit is that if I screw up the web server, at least my website is still up on curben.netlify.app and I can easily migrate this domain to Netlify.

View File

@ -69,7 +69,7 @@ PhishTank is a notable example of this kind of discrepancy. Despite being operat
Using URLhaus and PhishTank alone cannot possibly determine the effectiveness of malicious-blocking DNS providers accurately. I believe there are many malicious links out there that are not covered in those datasets. While I do think they are high quality and every DNS provider should consider utilising them, they are not _representative_ samples. So, take DNS-filtering testing which has limited sample with a grain of salt.
(Edit 14/07/2020) I was curious if the result is due to the samples being too _fresh_ (7 hours); DNS providers may not update their sources in real-time and perhaps only update once or twice a day. I ran the tests again on 13 July 2020 using the same samples (which I downloaded in 10 July 2020), a 3-day delay. The results show no significant change though.
(Edit: 14 Jul 2020) I was curious if the result is due to the samples being too _fresh_ (7 hours); DNS providers may not update their sources in real-time and perhaps only update once or twice a day. I ran the tests again on 13 July 2020 using the same samples (which I downloaded in 10 July 2020), a 3-day delay. The results show no significant change though.
## Google Safe Browsing