Merge pull request #3 from deckerego/rate_limit

Add in request throttling and WAF ACLs
deckerego · Mar 6, 2021 · 6712711 · 6712711
2 parents 0399e4a + 1503160
commit 6712711
Show file tree

Hide file tree

Showing 5 changed files with 155 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -19,6 +19,12 @@ HTTP requests are sent to the SQS Gateway over HTTP POST with any content you wi
 
 The API key is available in the AWS Secrets Manager and is autogenerated upon deployment.
 
+
 ## Retrieving HTTP Requests
 
 A sample Node.JS script is located in the `/scripts` directory as an example of how you could subscribe to the SQS queue receiving inbound requests. The remote gateway would intercept the request, store the contents as an SQS message, and then allow subscribers polling the queue to fetch them.
+
+
+## API Gateway Stage Settings
+
+The default settings in `serverless.yml` rate limit the API Gateway Stage to 1 request per second, with 1 concurrent request. Some default web application firewall rules are also applied to the gateway. To modify these settings, tweak `serverless.yml` or `resources/waf.yml` as needed.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -8,7 +8,9 @@
     "test": "jest"
   },
   "devDependencies": {
-    "jest": "^25.1.0"
+    "jest": "^25.1.0",
+    "serverless-api-gateway-throttling": "^1.1.0",
+    "serverless-associate-waf": "^1.2.1"
   },
   "dependencies": {
     "@aws-sdk/client-sqs": "^3.7.0",

diff --git a/resources/waf.yml b/resources/waf.yml
@@ -0,0 +1,50 @@
+Resources:
+  WafWebACL:
+    Type: AWS::WAFv2::WebACL
+    Properties:
+      Name: ${self:service}-${self:provider.stage}-WebACL
+      Scope: REGIONAL
+      Description: Web Application Firewall settings for ${self:service} ${self:provider.stage} API Gateway
+      DefaultAction:
+        Allow: {}
+      VisibilityConfig:
+        SampledRequestsEnabled: false
+        CloudWatchMetricsEnabled: true
+        MetricName: ${self:service}WafWebACL
+      Rules:
+        - Name: AWS-AWSManagedRulesCommonRuleSet
+          Priority: 0
+          OverrideAction:
+            None: {}
+          Statement:
+            ManagedRuleGroupStatement:
+              VendorName: AWS
+              Name: AWSManagedRulesCommonRuleSet
+          VisibilityConfig:
+            SampledRequestsEnabled: false
+            CloudWatchMetricsEnabled: true
+            MetricName: ${self:service}WafWebACLCommon
+        - Name: AWS-AWSManagedRulesAmazonIpReputationList
+          Priority: 1
+          OverrideAction:
+            None: {}
+          Statement:
+            ManagedRuleGroupStatement:
+              VendorName: AWS
+              Name: AWSManagedRulesAmazonIpReputationList
+          VisibilityConfig:
+            SampledRequestsEnabled: false
+            CloudWatchMetricsEnabled: true
+            MetricName: ${self:service}WafWebACLReputation
+        - Name: AWS-AWSManagedRulesKnownBadInputsRuleSet
+          Priority: 2
+          OverrideAction:
+            None: {}
+          Statement:
+            ManagedRuleGroupStatement:
+              VendorName: AWS
+              Name: AWSManagedRulesKnownBadInputsRuleSet
+          VisibilityConfig:
+            SampledRequestsEnabled: false
+            CloudWatchMetricsEnabled: true
+            MetricName: ${self:service}WafWebACLBadInputs
diff --git a/serverless.yml b/serverless.yml
@@ -1,3 +1,7 @@
+plugins:
+  - serverless-api-gateway-throttling
+  - serverless-associate-waf
+
 service: sqsgateway
 frameworkVersion: '1'
 
@@ -23,6 +27,14 @@ provider:
       Resource:
         - Ref: APIKeySecret
 
+custom:
+  apiGatewayThrottling:
+    maxRequestsPerSecond: 1
+    maxConcurrentRequests: 1
+  associateWaf:
+    name: ${self:service}-${self:provider.stage}-WebACL
+    version: V2
+
 functions:
   submit:
     handler: handlers/push.post
@@ -39,3 +51,4 @@ functions:
 resources:
   - ${file(resources/sqs.yml)}
   - ${file(resources/secrets.yml)}
+  - ${file(resources/waf.yml)}