本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 部署注意事项
以下各节提供了实施此解决方案的限制和注意事项。
## AWS WAF 规则
此解决方案生成的 Web ACL 旨在为 Web 应用程序提供全面保护。该解决方案提供了一组 AWS 托管规则和自定义规则,您可以将其添加到 Web ACL 中。要包含规则,请在启动 CloudFormation 堆栈时选择`yes`相关参数。参见[步骤 1。启动堆栈](step-1.-launch-the-stack.md)以获取参数列表。
**注意**
该 out-of-box解决方案不支持 [AWS Firewall Manager](https://aws.amazon.com/firewall-manager)。如果要使用 Firewall Manager 中的规则,我们建议您对其[源代码](https://github.com/aws-solutions/aws-waf-security-automations)进行自定义。
## Web ACL 流量记录
如果您在美国东部(弗吉尼亚北部)以外的 AWS 区域创建堆栈并将**终端节点**设置为`CloudFront`,则必须将 “**激活 HTTP 防洪保护**” 设置为`no`或`yes - AWS WAF rate based rule`。
其他两个选项(`yes - AWS Lambda log parser`和`yes - Amazon Athena log parser`)需要在所有 AWS 边缘站点上运行的 Web ACL 上激活 AWS WAF 日志,但美国东部(弗吉尼亚北部)以外地区不支持此操作。有关记录 Web ACL 流量的更多信息,请参阅 [AWS WAF 开发人员指南](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html)。
## 对请求组件进行超大处理
AWS WAF 不支持检查网络请求组件的正文、标头或 Cookie 中的超大内容。当您编写检查其中一种请求组件类型的规则语句时,您可以选择以下选项之一来告诉 AWS WAF 如何处理这些请求:
+ `yes`(继续)-根据规则检查标准正常检查请求组件。AWS WAF 会检查大小限制范围内的请求组件内容。这是解决方案中使用的默认选项。
+ `yes - MATCH` – 将 Web 请求视为与规则语句匹配。AWS WAF 将规则操作应用于请求,而不根据规则的检查标准对其进行评估。对于带有`Block`操作的规则,这会阻止带有超大组件的请求。
+ `yes - NO_MATCH`-将 Web 请求视为与规则声明不匹配,而不根据规则的检查标准对其进行评估。AWS WAF 继续使用网络 ACL 中的其余规则来检查 Web 请求,就像它对待任何不匹配的规则一样。
有关更多信息,请参阅[在 AWS WAF 中处理超大的 Web 请求组件](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html)。
## 多种解决方案部署
您可以在同一个账户和区域中多次部署该解决方案。您必须为每个部署使用唯一的 CloudFormation 堆栈名称和 Amazon S3 存储桶名称。每次单独部署都会产生额外费用,并且受每个区域每个账户的 [AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) 配额限制。
## 部署的最低角色权限(可选)
客户可以手动创建具有部署所需最低权限的 IAM 角色:
+ WAF 权限
```
{
"Effect": "Allow",
"Action": [
"wafv2:CreateWebACL",
"wafv2:UpdateWebACL",
"wafv2:DeleteWebACL",
"wafv2:GetWebACL",
"wafv2:ListWebACLs",
"wafv2:CreateIPSet",
"wafv2:UpdateIPSet",
"wafv2:DeleteIPSet",
"wafv2:GetIPSet",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL",
"wafv2:PutLoggingConfiguration",
"wafv2:DeleteLoggingConfiguration",
"wafv2:ListWebACLs",
"wafv2:ListIPSets",
"wafv2:ListTagsForResource"
],
"Resource": [
"arn:aws:wafv2:*:*:regional/webacl/*",
"arn:aws:wafv2:*:*:regional/ipset/*",
"arn:aws:wafv2:*:*:global/webacl/*",
"arn:aws:wafv2:*:*:global/ipset/*"
]
}
```
+ Lambda 权限
```
{
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"lambda:AddPermission",
"lambda:RemovePermission"
],
"Resource": "arn:aws:lambda:*:*:function:*"
}
```
+ Firehose 权限
```
{
"Effect": "Allow",
"Action": [
"firehose:CreateDeliveryStream",
"firehose:DeleteDeliveryStream",
"firehose:DescribeDeliveryStream",
"firehose:StartDeliveryStreamEncryption",
"firehose:StopDeliveryStreamEncryption",
"firehose:UpdateDestination"
],
"Resource": "arn:aws:firehose:*:*:deliverystream/*"
}
```
+ S3 权限
```
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucketPolicy",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:GetObject",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketVersioning",
"s3:PutEncryptionConfiguration",
"s3:PutObject",
"s3:PutBucketTagging",
"s3:PutLifecycleConfiguration",
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:PutBucketLogging",
"s3:GetBucketLogging"
],
"Resource": "arn:aws:s3:::*"
}
```
+ Athena 权限
```
{
"Effect": "Allow",
"Action": [
"athena:CreateWorkGroup",
"athena:DeleteWorkGroup",
"athena:GetWorkGroup",
"athena:UpdateWorkGroup",
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:StopQueryExecution"
],
"Resource": "arn:aws:athena:*:*:workgroup/WAF*"
}
```
+ Glue 权限
```
{
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:GetTable",
"glue:GetTables",
"glue:UpdateTable"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*",
"arn:aws:glue:*:*:table/*/*",
"arn:aws:glue:*:*:userDefinedFunction/*"
]
}
```
+ CloudWatch 日志权限
```
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DeleteLogGroup",
"logs:DeleteLogStream",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/lambda/*",
"arn:aws:logs:*:*:log-group:*",
"arn:aws:logs:*:*:log-group:/aws/kinesisfirehose/*"
]
}
```
+ CloudWatch 权限
```
{
"Effect": "Allow",
"Action": [
"cloudwatch:DeleteDashboards",
"cloudwatch:GetDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:PutDashboard",
"cloudwatch:PutMetricData"
],
"Resource": "*"
}
```
+ SNS 权限
```
{
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:SetTopicAttributes"
],
"Resource": "arn:aws:sns:*:*:*"
}
```
+ DynamoDB 权限
```
{
"Effect": "Allow",
"Action": [
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"dynamodb:PutItem",
"dynamodb:GetItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem"
],
"Resource": "arn:aws:dynamodb:*:*:table/*"
}
```
+ CloudFormation 权限
```
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack",
"cloudformation:ListStacks"
],
"Resource": "arn:aws:cloudformation:*:*:stack/*/*"
}
```
+ Service Catalog 应用程序注册表权限
```
{
"Effect": "Allow",
"Action": [
"servicecatalog:CreateApplication",
"servicecatalog:DeleteApplication",
"servicecatalog:GetApplication",
"servicecatalog:TagResource",
"servicecatalog:CreateAttributeGroup",
"servicecatalog:DeleteAttributeGroup",
"servicecatalog:GetAttributeGroup",
"servicecatalog:AssociateAttributeGroup",
"servicecatalog:DisassociateAttributeGroup",
"servicecatalog:AssociateResource",
"servicecatalog:DisassociateResource"
],
"Resource": "arn:aws:servicecatalog:*:*:*"
}
```
+ X-Ray 权限
```
{
"Effect": "Allow",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Resource": "*"
}
```
+ IAM 权限
```
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListRoles",
"iam:PassRole",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::*:role/*"
}
```
+ EventBridge 权限
```
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:RemoveTargets",
"events:DescribeRule",
"events:EnableRule",
"events:ListRules",
"events:PutRule",
"events:DeleteRule",
"events:ListEventSources",
"events:DescribeEventSource",
"events:ActivateEventSource",
"events:DeactivateEventSource"
],
"Resource": "arn:aws:events:*:*:rule/*"
}
```