By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to get WAF rule OversizeHandling property from Lambda

0

From what I can tell, it doesn't seem to be possible to retrieve the OversideHandling property for a WAF rule using a Lambda function. The WAF is returned using client.get_web_acl(...), however the OversizeHandling is stripped out of the rules inside the WAF.

This is problematic because our workflow is that we create a stack in CloudFormation using aws-waf-security-automations, then have a lambda run to make our own customisations to these rules and save them. Because the OversizeHandling is stripped during this process, the end result we are not compliant with the breaking changes being introduced at the end of this month that makes specifying the OversizeHandling mandatory.

I've created a simple proof of concept to demonstrate this:

WAF

Note the OversizeHandling is present in the Body of the SqliMatchStatement

{
  "Name": "test-waf2-CloudFrontWAFAutomationsTest-1JLD9J7O1XHCD",
...
  "Rules": [
...
    {
      "Name": "test-waf2-CloudFrontWAFAutomationsTest-1JLD9J7O1XHCDSqlInjectionRule",
      "Priority": 20,
      "Statement": {
        "OrStatement": {
          "Statements": [
...
            {
              "SqliMatchStatement": {
                "FieldToMatch": {
                  "Body": {
                    "OversizeHandling": "CONTINUE"
                  }
                },
                "TextTransformations": [
                  {
                    "Priority": 1,
                    "Type": "URL_DECODE"
                  },
                  {
                    "Priority": 2,
                    "Type": "HTML_ENTITY_DECODE"
                  }
                ],
                "SensitivityLevel": "LOW"
              }
            }
...

Test lambda:

import json
import logging
import boto3

logger = logging.getLogger(__name__)
logger.setLevel(logging.INFO)

client = boto3.client('wafv2')

def lambda_handler(event, context):
    web_acl = client.get_web_acl(Name="test-waf2-CloudFrontWAFAutomationsTest-1JLD9J7O1XHCD", Id="b01b9488-6255-443a-b3f5-5f384dc4f0b9", Scope="CLOUDFRONT")
    logger.info("Web ACL: %s", web_acl)

Lambda log output

Note there is no OversizeHandling under the Body of the SqliMatchStatement. The SensitivityLevel also appears to be missing.

{
   "WebACL":{
      "Name":"test-waf2-CloudFrontWAFAutomationsTest-1JLD9J7O1XHCD"
...
      "Rules":[
...
         {
            "Name":"test-waf2-CloudFrontWAFAutomationsTest-1JLD9J7O1XHCDSqlInjectionRule",
            "Priority":20,
            "Statement":{
               "OrStatement":{
                  "Statements":[
...
                     {
                        "SqliMatchStatement":{
                           "FieldToMatch":{
                              "Body":{
                                 
                              }
                           },
                           "TextTransformations":[
                              {
                                 "Priority":1,
                                 "Type":"URL_DECODE"
                              },
                              {
                                 "Priority":2,
                                 "Type":"HTML_ENTITY_DECODE"
                              }
                           ]
                        }
                     },

Does anyone have any idea why the OversizeHandling is being stripped, or have a suggestion for a workaround? Thank you!

Topics
Security, Identity, & ComplianceServerlessCompute
Tags
AWS WAFAWS Lambda
Language
English
rePost-User-6465919
asked a year ago74 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content