I want to know if the owasp core rule set are the rules that Google Cloud Armor use? If yes how can i test my payloads so it will be compliant to Google Cloud Armor WAF rules? Any available tools that i can use for testing?
Google Cloud Armor uses various rule sets, including OWASP ModSecurity Core Rule Set (CRS).
If you want to test payloads against CRS, try our sandbox service:
https://coreruleset.org/docs/development/sandbox/
Related
We have an ASGI api (FastAPI), in this API we have a metrics Prometheus endpoint. How to export these metrics to Google Cloud Monitoring using OpenTelemetry. Not using a sidecar.
If you want to export your Open Telemetry metrics to Cloud Monitoring, Prometheus is useless, you can use directly Open Telemetry - CLoud Monitoring integration.
In python, you have an Open Telemetry exporter that allow you to do that. No side car.
Then, if you need to query your metrics with PromQL, you can use Managed Services for Prometheus that offer a compliant PromQL endpoint and based on Monarch (Google internal logging system)
OpenTelemetry doesn't really have a way to scrape a Prometheus endpoint that I'm aware of. I would recommend simply using the Prometheus/Cloud Monitoring integration if that's at all an option. Otherwise, you can instrument your application to write to Cloud Monitoring using OpenTelemetry.
I have the Google Cloud Platform load balancer as a CDN and entry point to my running services.
As far as I know GCP load balancer offers out of the box DDoS protection even without custom Cloud Armor rules setup.
Is it also includes some protection against the "bad bots" which are scraping the info or sending spam?
If not, is there any way we can setup some rules using Cloud Armor to protect GCP services against such bots?
Since your question is very broad and not very precise I will just point out some of the main features & benefits of Cloud Armor and point you to some usefull documentation that will help you understand how to use configure and use it.
Cloud Armor key features are:
Benefit from DDoS protection and WAF at Google scale
Detect and mitigate attacks against your Cloud Load Balancing workloads
Adaptive Protection (Preview) ML-based mechanism to help detect and block Layer 7 DDoS attacks
Mitigate OWASP Top 10 risks and help protect workloads on-premises or in the cloud
WAF is a set of web application firewall rules that you can configure to protect your resources. Rules are written in a CEL language so have a look at this document to help you understand how they work.
Adaptive protection
helps you protect your Google Cloud applications, websites, and services against L7 distributed denial-of-service (DDoS) attacks such as HTTP floods and other high-frequency layer 7 (application-level) malicious activity. Adaptive Protection builds machine-learning models that do the following:
Detect and alert on anomalous activity
Generate a signature describing the potential attack
Generate a custom Google Cloud Armor WAF rule to block the signature
Last but not least - what is OWASP ?
OWASP stands for the Open Web Application Security Project, an online community that produces articles, methodologies, documentation, tools, and technologies in the field of web application security.
The Top 10 OWASP vulnerabilities in 2021 are:
Injection
Broken authentication
Sensitive data exposure
XML external entities (XXE)
Broken access control
Security misconfigurations
Cross site scripting (XSS)
Insecure deserialization
Using components with known vulnerabilities
Insufficient logging and monitoring
Combining this together Cloud armomor gives you a wide array of tools to protect your infrastructure from anything you can think of - given you can understand WAF rules and master the skill of writing them.
You can also try to use Recaptcha Enterprise integrated with Cloud Armor to challenge all automated requests;
Google Cloud Armor provides effective management of automated clients' requests towards your backends through native integration with reCAPTCHA Enterprise. reCAPTCHA Enterprise uses advanced risk analysis techniques to distinguish between human users and automated clients.
With the integration, reCAPTCHA Enterprise issues an encrypted token that contains the reCAPTCHA Enterprise assessment and associated attributes about the risk associated with the request. Google Cloud Armor deciphers this token without an additional request/response to the reCAPTCHA Enterprise server. Based on the token attributes, Google Cloud Armor lets you allow, block, or redirect the incoming requests.
Here's an example of redirecting to reCAPTCHA:
You can redirect a request to reCAPTCHA Enterprise to assess the user and serve manual challenges if necessary, without any additional reCAPTCHA Enterprise implementation. When human users share the same signature (such as URL paths or other L7 signatures) as a bot or an abusive system, this action provides a way for them to prove they are human and gain access, rather than being blocked. Only users who pass the assessment can acquire an exemption cookie and gain access to your service.
Aws let setup lambda#edge function executed after a response is received from the origin(see picture bellow), can I do it with GCP?
UPDATE
This can be done now with the Cloud Functions service in Google Cloud Platform, as stated in the official documentation 1.
"Cloud Functions allows you to trigger your code from Google Cloud, Firebase, and Google Assistant, or call it directly from any web, mobile, or backend application via HTTP."
In this document can find the features comparison of AWS and Azure with matching features in GCP, including the one just mentioned of GCP Cloud Run matching AWS Lambda 2.
Finally, can find documentation on how to write Cloud Functions, the different programming languages used, and examples for the different usages here 3.
I deployed AWS WAF for my ALB(use cloudformation template). And now I want to configure scan probe and bad bot rules to work with google and other search bots.How can I identify "good" bots?
I would like to put an AWS WAF in front of a web site served by CloudFront. I will need to update this WAF via automated calls though its API.
Where is this API documented?
I quickly found the Making HTTPS Requests to AWS WAF or Shield Advanced page, which states that
Many AWS WAF and Shield Advanced API actions require you to include
JSON-formatted data in the body of the request.
This is followed by a random example of how to insert an IP match condition rule.
I cannot believe that this is the only "documentation" available (making the REST interface hardly usable).
Here is the api documentation for WAF http://docs.aws.amazon.com/waf/latest/APIReference/API_Operations_AWS_WAF.html
and this if you are using Python https://boto3.amazonaws.com/v1/documentation/api/latest/index.html