0

I need to implement a WAF that covers the owasp top 10 and aws luckily already created a sample cloudformation template for this - however, it is in waf version 1.

I am new to aws waf, but it seems to me that aws is making a big effort to migrate from waf v1 to v2, even though v1 is still available. i have also tried to convert the v1 resources to v2 using the waf migration wizard - this has worked but has created a horrific cloudformation template which will take quite a while to fix up to the standard and state that the original v1 template was in (parameters and outputs have been lost, resource names have guids instead of meaningful identifiers, etc).

So my question is (before i spend ages fixing the generated template!), is it ok to remain with WAF v1 or should I really be using v2 now?

thanks in advance :)

danrockcoll
  • 173
  • 2
  • 10

1 Answers1

0

apologies, my google skills failed me on this one as i have just found a medium.com article explaining why wafv2 is so great - it has a huge bunch of managed rulesets, some of which address the owasp top 10. although there isn't a specific managed ruleset for the owasp top 10, they are all covered if you enable a few of the aws managed rules (the core one and the sql one covers most if not all of the 10).

so the answer to this question is definitely to use WAFV2 and then enable the core and sql aws managed rules.

i think this will cover the top 10, but my services are getting pentested at some point soon so if if they tell me i have missed anything, i will comment back here to complete the picture :)

danrockcoll
  • 173
  • 2
  • 10