本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 部署考量
下列各節提供實作此解決方案的限制條件和考量事項。
## AWS WAF 規則
此解決方案產生的 Web ACL 旨在為 Web 應用程式提供全面的保護。解決方案提供一組 AWS 受管規則和自訂規則,您可以將這些規則新增至 Web ACL。若要包含規則,請在啟動 CloudFormation 堆疊時`yes`為相關參數選擇 。請參閱[步驟 1。啟動 堆疊](step-1.-launch-the-stack.md)以取得參數清單。
**注意**
out-of-box解決方案不支援 [AWS Firewall Manager](https://aws.amazon.com/firewall-manager)。如果您想要在 Firewall Manager 中使用規則,建議您將自訂套用至其[原始程式碼](https://github.com/aws-solutions/aws-waf-security-automations)。
## Web ACL 流量記錄
如果您在美國東部 (維吉尼亞北部) 以外的 AWS 區域中建立堆疊,並將**端點**設定為 `CloudFront`,則必須將**啟用 HTTP 洪水防護**設定為 `no`或 `yes - AWS WAF rate based rule`。
其他兩個選項 (`yes - AWS Lambda log parser` 和 `yes - Amazon Athena log parser`) 需要在在所有 AWS 節點中執行的 Web ACL 上啟用 AWS WAF 日誌,而且在美國東部 (維吉尼亞北部) 以外不支援此功能。如需記錄 Web ACL 流量的詳細資訊,請參閱 [AWS WAF 開發人員指南](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html)。
## 請求元件的超大處理
AWS WAF 不支援檢查 Web 請求元件內文、標頭或 Cookie 的過大內容。當您撰寫規則陳述式來檢查其中一個請求元件類型時,您可以選擇其中一個選項,告訴 AWS WAF 如何處理這些請求:
+ `yes` (繼續) - 根據規則檢查條件,正常檢查請求元件。AWS WAF 會檢查大小限制內的請求元件內容。這是解決方案中使用的預設選項。
+ `yes - MATCH` - 將 Web 請求視為與規則陳述式相符。AWS WAF 會將規則動作套用至請求,而不根據規則的檢查條件進行評估。對於具有 `Block`動作的規則,這會使用過大元件封鎖請求。
+ `yes - NO_MATCH` - 將 Web 請求視為不符合規則陳述式,而不根據規則的檢查條件進行評估。AWS WAF 會使用 Web ACL 中的其餘規則繼續檢查 Web 請求,就像使用任何不相符的規則一樣。
如需詳細資訊,請參閱在 [ AWS WAF 中處理過大 Web 請求元件](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html)。
## 多個解決方案部署
您可以在相同的帳戶和區域中多次部署解決方案。您必須為每個部署使用唯一的 CloudFormation 堆疊名稱和 Amazon S3 儲存貯體名稱。每個唯一部署都會產生額外費用,並受到每個區域每個帳戶的 [AWS WAF 配額限制](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html)。
## 部署的最低角色許可 (選用)
客戶可以手動建立具有部署所需最低許可的 IAM 角色:
+ WAF 許可
```
{
"Effect": "Allow",
"Action": [
"wafv2:CreateWebACL",
"wafv2:UpdateWebACL",
"wafv2:DeleteWebACL",
"wafv2:GetWebACL",
"wafv2:ListWebACLs",
"wafv2:CreateIPSet",
"wafv2:UpdateIPSet",
"wafv2:DeleteIPSet",
"wafv2:GetIPSet",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL",
"wafv2:PutLoggingConfiguration",
"wafv2:DeleteLoggingConfiguration",
"wafv2:ListWebACLs",
"wafv2:ListIPSets",
"wafv2:ListTagsForResource"
],
"Resource": [
"arn:aws:wafv2:*:*:regional/webacl/*",
"arn:aws:wafv2:*:*:regional/ipset/*",
"arn:aws:wafv2:*:*:global/webacl/*",
"arn:aws:wafv2:*:*:global/ipset/*"
]
}
```
+ Lambda 許可
```
{
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"lambda:AddPermission",
"lambda:RemovePermission"
],
"Resource": "arn:aws:lambda:*:*:function:*"
}
```
+ Firehose 許可
```
{
"Effect": "Allow",
"Action": [
"firehose:CreateDeliveryStream",
"firehose:DeleteDeliveryStream",
"firehose:DescribeDeliveryStream",
"firehose:StartDeliveryStreamEncryption",
"firehose:StopDeliveryStreamEncryption",
"firehose:UpdateDestination"
],
"Resource": "arn:aws:firehose:*:*:deliverystream/*"
}
```
+ S3 許可
```
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucketPolicy",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:GetObject",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketVersioning",
"s3:PutEncryptionConfiguration",
"s3:PutObject",
"s3:PutBucketTagging",
"s3:PutLifecycleConfiguration",
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:PutBucketLogging",
"s3:GetBucketLogging"
],
"Resource": "arn:aws:s3:::*"
}
```
+ Athena 許可
```
{
"Effect": "Allow",
"Action": [
"athena:CreateWorkGroup",
"athena:DeleteWorkGroup",
"athena:GetWorkGroup",
"athena:UpdateWorkGroup",
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:StopQueryExecution"
],
"Resource": "arn:aws:athena:*:*:workgroup/WAF*"
}
```
+ Glue 許可
```
{
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:GetTable",
"glue:GetTables",
"glue:UpdateTable"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*",
"arn:aws:glue:*:*:table/*/*",
"arn:aws:glue:*:*:userDefinedFunction/*"
]
}
```
+ CloudWatch Logs 許可
```
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DeleteLogGroup",
"logs:DeleteLogStream",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/lambda/*",
"arn:aws:logs:*:*:log-group:*",
"arn:aws:logs:*:*:log-group:/aws/kinesisfirehose/*"
]
}
```
+ CloudWatch 許可
```
{
"Effect": "Allow",
"Action": [
"cloudwatch:DeleteDashboards",
"cloudwatch:GetDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:PutDashboard",
"cloudwatch:PutMetricData"
],
"Resource": "*"
}
```
+ SNS 許可
```
{
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:SetTopicAttributes"
],
"Resource": "arn:aws:sns:*:*:*"
}
```
+ DynamoDB 許可
```
{
"Effect": "Allow",
"Action": [
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"dynamodb:PutItem",
"dynamodb:GetItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem"
],
"Resource": "arn:aws:dynamodb:*:*:table/*"
}
```
+ CloudFormation 許可
```
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack",
"cloudformation:ListStacks"
],
"Resource": "arn:aws:cloudformation:*:*:stack/*/*"
}
```
+ Service Catalog 應用程式登錄檔許可
```
{
"Effect": "Allow",
"Action": [
"servicecatalog:CreateApplication",
"servicecatalog:DeleteApplication",
"servicecatalog:GetApplication",
"servicecatalog:TagResource",
"servicecatalog:CreateAttributeGroup",
"servicecatalog:DeleteAttributeGroup",
"servicecatalog:GetAttributeGroup",
"servicecatalog:AssociateAttributeGroup",
"servicecatalog:DisassociateAttributeGroup",
"servicecatalog:AssociateResource",
"servicecatalog:DisassociateResource"
],
"Resource": "arn:aws:servicecatalog:*:*:*"
}
```
+ X-Ray 許可
```
{
"Effect": "Allow",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Resource": "*"
}
```
+ IAM 許可
```
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListRoles",
"iam:PassRole",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::*:role/*"
}
```
+ EventBridge 許可
```
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:RemoveTargets",
"events:DescribeRule",
"events:EnableRule",
"events:ListRules",
"events:PutRule",
"events:DeleteRule",
"events:ListEventSources",
"events:DescribeEventSource",
"events:ActivateEventSource",
"events:DeactivateEventSource"
],
"Resource": "arn:aws:events:*:*:rule/*"
}
```