Investigate AWS Web Application Firewall / bot control
Before we go live with ADRL Lite, we should have a plan in place to mitigate bot traffic. And before we invest a bunch of effort implementing Anubis or HTML zip bombs or whatever at the application level, it would be good to know what we can just pay AWS to take care of for us. Their WAF product claims simplify a lot of worthwhile-looking web security operations and also includes a bot control feature allegedly smart enough to handle "bots that try to evade detection", by which I assume they mean things like IP hopping and user agent spoofing; I also like the idea of paying someone else to do the work of keeping up with all that
Acceptance criteria (might need breaking down into multiple tickets):
-
we have a good idea what WAF can do -
we have a good idea whether/how we can use it: -
we understand any relevant DNS issues etc. -
if there are any policy barriers to adoption, we have a sense of what conversations we need to have with ITS
-
-
we have a good idea which applications we should put behind it -
if there are any requirements those applications need to meet to make good use of it, we know what those are
-
-
we have a sense of what it might cost -
we have a plan for configuring / deploying it in an infrastructure-as-code way that makes it: -
easy to add/remove apps -
easy to manage configuration
-
-
we have a test plan
Parts of this (figuring out which applications need it, getting the applications to meet any requirements) is clearly on us, and configuration / deployment probably is too, but we should leverage ITS as much as possible on the other parts.