AWS
Glean Web Application Firewall on AWS
This document describes Glean’s security measures using AWS WAF, including default and custom features, monitoring, costs, IP restrictions, and third-party WAF limitations.
To augment the security protocols on the external application load balancer, Glean has seamlessly integrated AWS’s Web Application Firewall (WAF) rules into your deployment. Please be advised that altering the WAF settings directly is not permitted. For modifications, kindly liaise with the Glean support team.
The following features are enabled by default:
- IP reputation rule groups to block anonymous IP traffic (Tor) and also IPs from AWS’s managed IP reputation lists
- IP Green List: Only trust Glean outbound IP for control plane communication protocols
- DOS Protection: Rate limiting on selected endpoints.
- DDOS Protection: AWS included by default AWS Shield Standard
- AWS managed Core Rule Set
- AWS managed Known Bad Inputs rule set
- AWS managed SQL Injection rule set
- AWS managed Linux and Unix rule set
- Request Country Red Listing: Option to block requests originating from specified countries.
- Request Country Green Listing: Option to only permit requests from the list of countries specified (Note: US must be allowed)
- Request IP Red Listing: Option to block requests originating from specified countries.
- Request IP Green Listing: Allowing access only from designated IP ranges.
- Request user agent red listing: Option to block requests with certain header values.
- Request for only known URIs to be permitted and unknown URIs to be blocked-by-default
- Request for all sensitive support endpoints to be blocked
aws-waf-logs-glean CloudWatch Log Group. Customers can write custom automation to ship the CloudWatch logs over to their own internal tooling.
Optional features that customers can enable:
- You may enable AWS Shield Advanced for the Glean load balancers, however, please be aware of AWS’s costs for this feature.
3rd Party WAF
At this time, Glean does not support customers deploying their own WAFs or third-party WAFs. Customers should work with Glean to configure AWS WAF to their needs for the deployment. The primary reason for this is Glean supported WAF rules have been thoroughly tested to not break Glean’s functionality.Restrict Glean to a specific set of IPs
We have the ability to restrict non-webhook traffic to a specific set of IP addresses (i.e. VPN IPs). To do this, the customer would need to provide Glean with a list of properly formatted VPN CIDRs to restrict access to. Glean will then enable IP green listing and also enable the block-by-default configuration described above for the WAF. This requires that the customer configure their VPN to always send traffic destined to the*-be.glean.com ALB to go out via their VPN. In all cases, the customer must provide Glean with the proper list of VPN CIDRs and also inform Glean whenever new CIDRs are added.