apprunner-roadmap icon indicating copy to clipboard operation
apprunner-roadmap copied to clipboard
verified publisher icon aws

AWS WAF support

Open iselegant opened this issue 4 years ago • 8 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do * not help prioritize the request If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request

App Runner doesn't support WAF attaching. If this can be achieved, I believe that we'll be able to find a lot of secure architecture and use cases with App Runner.

iselegant avatar Jun 22 '21 15:06 iselegant

A possible workaround is to use an edge resident WAF outside of AWS WAF, such as Akamai or Cloudflare, provided the AR CNAME/origin could be completely protected from public access.

bretlowery avatar Jul 16 '21 15:07 bretlowery

@iselegant Can you provide more details? We haven't been able to use AppRunner yet until the RDS VPC support lands but we'd also need WAF. I assume an ALB if provisioned with an AppRunner app. Can you manually attach WAF? Are you asking for built-in support or is it not possible at all?

greenreign avatar Dec 22 '21 20:12 greenreign

@greenreign Thank you your comment. In my opinion, it may better and simple architecture that we can attach AWS WAF in front of AWS App Runner endpoint because many AWS users getting used to setting up AWS WAF. Actually, I often happen some use case to deploy container web apps with some security requirements of only specific client access such as preparing internal developer portal.

iselegant avatar Jan 28 '22 13:01 iselegant

Hello, we are looking at supporting WAF in App Runner and will have more updates on this thread going forward. To help us better learn about your use case, please give us feedback on some of these questions.

  1. What type of applications do you enable WAF on? Do you enable WAF on public internet facing applications or do you enable it on private VPC accessible internal applications?
  2. Where does AWS WAF sits on your architecture? Do you configure it on a. AWS ALB fronting your application or b. Amazon CloudFront CDN. If CloudFront CDN, what do you use as origin server behind CDN (ALB, API Gateway, S3 or something else) c. API Gateway fronting your application d. Somewhere else
  3. What type of WAF rules do you set on WAF Web Acls?
  4. If App Runner services are protected by AWS WAF, would you like to have AWS WAF Web Acls deployed in your account with full configurability via the AWS WAF API or have it run behind the scenes in an AppRunner owned account with only some knobs exposed through the App Runner API surface?
  5. If you want full configurability via the AWS WAF API, do you still want App Runner to manage certain aspects of WAF configuration? For example, setting up creating Web ACLs in your account with initial rules?
  6. Other than AWS WAF protection, would you also like App Runner to provide managed DDOS protection offered by AWS Shield?

amitgupta85 avatar Feb 11 '22 22:02 amitgupta85

I would like to be able to provide my own WAF for App Runner to use. This matches the pattern that I use for other public facing applications - configurable WAF applied to the ALB. I likely wouldn't find any use for a default, out of the box WAF, nor do I need AWS Shield.

johngillespie-vp avatar Mar 03 '22 14:03 johngillespie-vp

Same use case as people have been pointing out. I need to be able to put a WAF in front of AppRunner. For me that only means I want to be able to associate a security group with the LB so that I can restrict inbound requests to my WAF.

We are talking internet facing applications

callicles avatar Apr 06 '22 01:04 callicles

I would prefer to attach the waf of my account to the loadbalancer of app runner, not have an app runner built-in waf. I guess it's the only missing feature to changing from eks to app runner.

em-cash avatar Apr 13 '22 15:04 em-cash

Any updates on this or work arounds?

weaverjess avatar Sep 29 '22 09:09 weaverjess

App Runner is probably failing to live up to the level of abstraction it looks set to deliver. For example if I am developing Python Flask and I point App Runner at my git repo it doesn't appear to help me be secure. It doesn't wrap my code in gunicorn, nginx and supervisord (like Elastic Beanstalk). Looking for CVEs and it looks like gunicorn is vulnerable to HTTP response splitting perhaps plenty more. This is something the platform that targets developers should be taking care of. Systems engineers who know all this are probably already running VPC, EC2, Security Groups, NAACLS, Amazon Network Firewall, CloudFront, WAF, Shield, reverse proxies, Security Hub and heaven knows how many other services. Developers choosing App Runner are avoiding having to be experts in all those other products as they are looking for the service provider to help with that.

I believe App Runner needs to prioritise security (or at least explain it better). A developer with code in Python in Git doesn't know about gunicorn, nginx, WAFs, file integrity monitoring, CDNs for anti-DDoS, Shield etc. Chances are developers are just running Python apps with Werkzeug naked on the web. If App Runner is doing more than just wiring up a container to an internet facing load balancer then it isn't clear and the residual risk for me to address is unclear.

hiselitelordship avatar Nov 06 '22 09:11 hiselitelordship

I'm probably stating the obvious here, but just like someone mentioned earlier about using an external CDN like Cloudflare WAF to protect your App Runner.

If you want to use AWS WAF instead, you can use CloudFront for your App Runner and attach AWS WAF to your CloudFront distribution.

A couple of things to note here:

  • When you are choosing an origin domain for your CloudFront distribution, App Runner will not show up in the list of AWS origins (just like it didn't show up in Route 53 as an option for alias records back then). Ignore the list and enter the default domain of your App Runner service directly.

  • If you already have a "custom domain" attached to your App Runner service, remove that from App Runner, and remove the relevant records from your DNS. Then attach the domain to your CloudFront distribution, and point the domain to the CloudFront distribution in your DNS.

This worked pretty well for us, and you can also use Terraform to set these up easily.

zhuanyan-wang avatar Nov 16 '22 20:11 zhuanyan-wang

Using an external provider like Cloudflare isn't a viable solution yet, because the App Runner default domain is still accessible on the public internet and thus the application is still vulnerable to attacks. Providers, like Cloudflare, can only protect your custom domains. What we'd like to see, is something similar to how this is solved in API Gateway, an App Runner resource policy that allows restricting inbound access to your App Runner service by IP. We can then lock down the default domain to only receive traffic from Cloudflare's network and thus enforce Cloudflare proxying of all traffic to the origin endpoints.

emilhdiaz avatar Dec 06 '22 20:12 emilhdiaz

Any news on that issue ?

atali avatar Feb 05 '23 00:02 atali

Looks like this just landed: https://aws.amazon.com/about-aws/whats-new/2023/02/aws-app-runner-web-application-firewall-enhanced-security/

mwarkentin avatar Feb 24 '23 21:02 mwarkentin

Hello everyone, App Runner now supports AWS web application firewall (WAF). See the launch announcement and documentation to learn more about this capability.

Launch announcement: https://aws.amazon.com/about-aws/whats-new/2023/02/aws-app-runner-web-application-firewall-enhanced-security/

App Runner documentation: https://docs.aws.amazon.com/apprunner/latest/dg/waf.html

snnles avatar Feb 24 '23 21:02 snnles