AWS announces preview of AWS Interconnect - multicloud

AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.

How do I use AWS WAF to block specific file extension uploads?

4 minute read

I want to restrict file uploads (HTTP POST requests) with specific extensions to my web server.

Short description

When you analyze the POST data of an HTTP request, uploaded content can be one of two types:

Form data
Binary

To restrict file uploads with specific extensions (.pdf, .docx, .exe), you'll create and configure a custom web access control list (web ACL) rule in AWS WAF.

Note: AWS WAF inspects the first 8 KB (8,192 bytes) of the request body. For information on larger body requests, see Oversize web request components in AWS WAF.

Resolution

Identify the type of content that the POST data uses

The POST data inside HTTP requests typically uses either form data or binary.

Form data includes any data that a user enters on a web page or HTML form that HTTP sends or posts to a web server.
A binary payload is anything other than a text payload. For example, a binary payload can be a .jpeg file, a .gzip file, or an .xml file. This includes generic binary data such as from a .pdf application, .jpeg image, or .zip application. For all file extension types, see Media types on the Internet Assigned Numbers Authority (IANA) website.

To identify your POST request type, check the Content-Type value in the HTTP POST header. For example:

Content-Type: multipart/form-data

Based on your Content-Type output, see the appropriate section that match your header value.

Create a rule for multipart/form-data content

Complete the following steps:

Open the AWS WAF console.
In the navigation pane, choose AWS WAF.
Choose Resources & protection packs.
Select your Protection pack.
In your selected protection pack, select Rules.
Select View and edit next to Rules to view or modify the rules associated with your protection pack.
In the right pane for Manage rules choose Add rules.
Choose Create new rule.
Choose Custom rule and select Next.
For Rule Type, choose Custom rule and select Next.
To set up your rule, configure the following values:
For Action, choose Block for custom rules.
For Name, enter a name to identify this rule.
For If a request, choose matches the statement. Then, complete the following fields for the Statement:
For Inspect, choose JSON Body.
For JSON match scope, choose Values.
For Action for invalid JSON body requests, choose the option appropriate for you.
For Content to inspect, choose Full JSON content.
For Match type, choose Matches regular expression.
For Regular expression, enter a regex-pattern to match. See the following example:
```
(?:.pdf|.doc|.docx|.ppt)
```
(Optional) For Text transformation, add a text transformation or keep these fields as None.
For Oversize Handling, choose the relevant option for your use case.
Choose Create Rule.
Choose Save.

Create a rule for binary value

Complete the following steps:

Open the AWS WAF console.
In the navigation pane, choose AWS WAF.
Choose Resources & protection packs.
Select your Protection pack.
In your selected protection pack, select Rules.
Select View and edit next to Rules to view or modify the rules associated with your protection pack.
In the right pane for Manage rules choose Add rules.
Choose Create new rule.
Choose Custom rule and select Next.
For Rule Type, choose Custom rule and select Next.
To set up your rule, configure the following values:
For Action, choose Block for custom rules.
For Name, enter a name to identify this rule.
For If a request, choose matches the statement.
Complete the following fields for the Statement:
For Inspect, choose Single header.
For Header field name, enter Content-Type.
For Match type, choose Matches regular expression.
For Regular expression, enter a regex-pattern to match.
See the following example for .pdf and .jpeg files:
```
(?:pdf|jpeg)
```
(Optional) For Text transformation, add a text transformation or keep these fields as None.
Choose Create Rule.

Note: To restrict the rule for a specific upload URI path, use an AND statement inside the web ACL rule that inspects the path.

Topics: Security, Identity, & Compliance
Tags: AWS WAF
Language: English

AWS OFFICIALUpdated 5 months ago

2 Comments

So if I understand this rules will not work if I test with a file of more than 8k?

EricBellavance-Work

replied 3 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

MODERATOR

AWS Official

replied 3 years ago

Relevant content

File uploads getting blocked after introducing AWS WAF
Ajay
asked 2 years ago
AWS WAF to restrict file download
Ritika
asked 2 years ago
Block suspicious(specific) user-agent using AWS WAF
Accepted Answer
Techxonia
asked 4 years ago
Pdf and audio file download blocked by WAF on CDN
Techxonia
asked 4 years ago
Cannot save a file with a specific format name and extension in Bucket
rePost-User-2907139
asked 3 years ago
How do I explicitly allow file uploads that an AWS WAF rule blocks without excluding the rule?
AWS OFFICIALUpdated 5 months ago
Why does AWS WAF block my legitimate upload request?
AWS OFFICIALUpdated 2 months ago
How do I use AWS WAF to block HTTP requests that don't contain a user agent header?
AWS OFFICIALUpdated 5 months ago
How do I use AWS WAF to allow or block requests from a specific country or geolocation?
AWS OFFICIALUpdated 5 months ago
AWS re:Post Knowledge Center Spotlight: AWS WAF
EXPERT
Shannon Lewis
published a year ago