47 lines
1.7 KiB
Markdown
47 lines
1.7 KiB
Markdown
---
|
||
title: "WAF (Web Application Firewall)"
|
||
type: concept
|
||
tags: [AWS, Security, Networking]
|
||
sources: [ctp-topic-7-saas-landing-zone-design]
|
||
last_updated: 2026-05-06
|
||
---
|
||
|
||
## WAF (Web Application Firewall)
|
||
|
||
AWS Web Application Firewall — Web 应用防火墙服务,监控和过滤进入 Web 应用的 HTTP/HTTPS 流量。
|
||
|
||
## Definition
|
||
|
||
WAF 是产品账户入站安全层的核心组件:
|
||
- **功能**:通过规则(Rules)过滤恶意流量,保护 Web 应用免受 OWASP Top 10 等常见攻击
|
||
- **部署位置**:产品账户,位于 CloudFront 和 Load Balancer 之后
|
||
- **流量监控**:WAF 监控入站流量,可阻断 SQL 注入、XSS、CSRF 等攻击
|
||
|
||
## Role in SAS Landing Zone
|
||
|
||
在 [[ctp-topic-7-saas-landing-zone-design]] 定义的 Product Account 入站架构中:
|
||
- **位置**:CloudFront → **WAF** → Load Balancer(公有子网)→ 工作负载(私有子网)
|
||
- **功能**:实时监控入站流量,阻断异常请求
|
||
- **可选 CloudFront**:CDN 层可选,但 WAF 是必须的安全层
|
||
|
||
## Key Properties
|
||
- **Type**: Security Service
|
||
- **Layer**: Application Layer (L7)
|
||
- **Position in stack**: After CDN/Before Application
|
||
- **In SAS LZ**: 产品账户入站安全层
|
||
|
||
## AWS WAF Capabilities
|
||
- Managed rule groups (AWS managed, vendor managed)
|
||
- IP blocking/rate limiting
|
||
- Geographic restrictions
|
||
- SQL injection and XSS protection
|
||
- Bot control
|
||
|
||
## Relationship to AWS Firewall Manager
|
||
- [[AWS-Firewall-Manager]] 提供多账户 WAF 策略的统一管理
|
||
- [[ctp-topic-55-aws-firewall-manager]] 覆盖 AWS Firewall Manager 的具体实践
|
||
|
||
## Connections
|
||
- [[ctp-topic-7-saas-landing-zone-design]] — SAS LZ 产品账户入站安全层
|
||
- [[ctp-topic-55-aws-firewall-manager]] — AWS Firewall Manager 多账户 WAF 管理
|