The way that AWS WAF works to be very unclear, at the moment, I'm trying to allow all traffic to a certain path.
Lets say everything to /admin should be allowed and not go through the xss or sql filters that I've added from the "common attacks" to my setup via their official guide: https://docs.aws.amazon.com/waf/latest/developerguide/tutorials-common-attacks.html
But the UI and docs makes it really unclear how to do this. Any help or resources would be very useful.
# waf using rate-based rule
resource "aws_wafv2_web_acl" "example" {
name = "example"
description = "Example of a regional rate based statement."
scope = "REGIONAL"
default_action {
allow {}
}
rule {
name = "LoginRateLimit"
priority = 0
action {
count {}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "Metric-Limit"
sampled_requests_enabled = true
}
statement {
rate_based_statement {
limit = 500
aggregate_key_type = "IP"
scope_down_statement {
byte_match_statement {
field_to_match {
uri_path {}
}
positional_constraint = "CONTAINS"
search_string = "login"
text_transformation {
priority = 0
type = "NONE"
}
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "any-name"
sampled_requests_enabled = true
}
}