Configure AppSec

Security configurations function as containers for other application security objects like security policies, rate policies, reputation profiles, or firewall rules. These can cover your entire business or you can have multiple security configurations for your each of business units, domains, and geographic units.

What you'll do

Construct a security configuration defined security policies and the match criteria that trigger action to control how edge servers respond to various kinds of requests to your site and its content.

Create or get configuration

To set up an Akamai security configuration, create a new config and add your own security objects, import an existing config, or use our editable example.

Create new

For new configurations, use the default security configuration in our Terraform repository as a starting point and make edits or add security policies.

Get existing

To get an existing security configuration, use the configuration data source and our CLI.

  1. Get a list of all your security configurations. Use the output_text option to get back a table that provides the ID, name, version, and active network for each of your configurations.

    data "akamai_appsec_configuration" "my-configurations" {
    }
    
    output "configuration-list" {
      value = data.akamai_appsec_configuration.my-configurations.output_text
    }
    
    Configurations 
    | CONFIG_ID | NAME | LATEST_VERSION | VERSION_ACTIVE_IN_STAGING |VERSION_ACTIVE_IN_PRODUCTION |
    +-----------+-----------+-----------+-----------+-----------+
    | 12345     | Config 1  | 32        | 29        | 28        |
    | 23456     | Config 2  | 6         | 6         | 6         |
    | 34567     | Config 3  | 9         | 9         | 8         |
    | 45678     | Config 4  | 4         | 0         | 0         |
    
  2. Use the name of the configuration you want as the value for the export-appsec argument of the akamai CLI command.

    akamai terraform --edgerc {location-of-your-edgerc-file} --section {section-of-edgerc-to-use} export-appsec {"configuration-name"}
    

    The response is your entire application security configuration with each of your security objects separated into respective Terraform configuration files.

Associate your configuration with hostnames, make changes, or add additional security objects.

Build security policies

Security policies play a key role in identifying and handling website requests. If a request is flagged, the security policy associated with the flag steps in and provides a more detailed analysis on the request and applies protections like rate limiting and reputation controls to help verify the legitimacy and the safety of the request.

  • A single security configuration can have multiple security policies.
  • Multiple security policies give you the flexibility to get granular with your protection settings, but multiple security policies also increase the time it takes to analyze and process each request.

We recommend keeping the number of security policies to what's necessary so that your website is both efficient and responsive.

New default policy

  1. Pass your configuration's ID, a unique name, and a meaningful, four character value for the policy prefix. This prefix adds contextual identification to the autogenerated number assigned to your policy.

    resource "akamai_appsec_security_policy" "my-new-policy" {
      config_id              = "12345"
      security_policy_name   = "New firewall policy"
      security_policy_prefix = "waf1"
    }
    
  2. Run terraform validate to verify your syntax and then run terraform apply to create the policy.

  3. Get and review your configuration and its settings using the configuration's name as the value for the export-appsec argument of the akamai CLI command.

    akamai terraform --edgerc {location-of-your-edgerc-file} --section {section-of-edgerc-to-use} export-appsec {"configuration-name"}
    
  4. If the configuration is good as is, add hostnames. See Make updates if you need to make changes.

New disabled policy

  1. Add in the default_settings argument with a value of false in the security policy resource to create a policy with all protections disabled.

    resource "akamai_appsec_security_policy" "my-new-policy" {
      config_id              = "12345"
      security_policy_name   = "New firewall policy"
      security_policy_prefix = "waf1"
      default_settings       = false
    }
    
  2. Run terraform validate to verify your syntax and then run terraform apply to create the policy.

  3. Use your configuration's name as the value for the export-appsec argument of the akamai CLI command to get your configuration.

    akamai terraform --edgerc {location-of-your-edgerc-file} --section {section-of-edgerc-to-use} export-appsec {configuration-name}
    
  4. Make updates.

New policy from existing

  1. Use the create_from_security_policy_id argument in the security policy resource with the ID of the policy you want to clone.

    resource "akamai_appsec_security_policy" "my-new-policy" {
      config_id                      = "12345"
      security_policy_name           = "New firewall policy"
      security_policy_prefix         = "waf2"
      create_from_security_policy_id = "waf1_23456"
    }
    
  2. Run terraform validate to verify your syntax and then run terraform apply to add your security policy to your configuration.

  3. If the configuration is good as is, add hostnames. See Make updates if you need to make changes.

Make updates

You can make larger sets of updates by editing the configuration files you received from the CLI export and using a pointer to the file in its respective resource.

For smaller, isolated updates, enter your updates directly in a resource's argument.

Reactivate your configuration to apply your security policy changes on a network.

Add Rate policies

When your servers receive too many requests at one time, their resources become overwhelmed and your site can fail. Rate policies help by setting limits on the number of requests your server receives over a given time interval.

Configure your rate policies to trigger as needed. To see a complete list of options and their settings, see Rate policies.

Update an existing policy

  1. Locate the security directory in the configuration modules you received from the CLI export.

  2. Open the rate policy configuration file, make save your changes, and then upload them to your configuration using the rate policy resource with a pointer to the file.

    resource "akamai_appsec_rate_policy" "my-rate-policy" {
      config_id   = "12345"
      rate_policy = file("${path.module}/rate_policy.tf")
    }
    
  3. Run terraform validate to verify your syntax and then run terraform apply to apply your rate policy to your security policy.

  4. Reactivate your configuration to apply your rate policy changes on a network.

New policy

ūüĎć

Tip

Have a look at our example if you need help or you're not sure where to start.

  1. Specify rate policy properties and property values in a JSON file.

  2. Use the rate policy resource to create a new policy based on those values.

    resource "akamai_appsec_rate_policy" "my-new-rate-policy" {
      config_id   = "12345"
      rate_policy = file("${path.module}/rate_policy.json")
    }
    
  3. Assign actions to your policy for both IPv4 and IPv6. Without these, your rate policy will fail.

    resource "akamai_appsec_rate_policy_action" "my-policy-action" {
      config_id          = "12345"
      security_policy_id = "waf1_23456"
      rate_policy_id     = "54321"
      ipv4_action        = "deny"
      ipv6_action        = "deny"
    }
    
  4. Run terraform validate to verify your syntax and then run terraform apply to apply your rate policy to your security policy.

Your rate policies and their actions are now set. Continue to add other security objects or hostnames to your configuration and then activate or reactivate your configuration to apply your rate policy changes on a network.

New from existing

  1. Locate the security directory in the configuration modules you received from the CLI export.

  2. If the rate policy and its actions work as is, add these to a configuration. See Update an existing policy if you need to make changes.

    resource "akamai_appsec_rate_policy" "my-new-rate-policy" {
      config_id   = "12345"
      rate_policy = file("${path.module}/rate_policy.tf")
    }
    
    resource "akamai_appsec_rate_policy_action" "my-policy-action" {
      config_id          = "12345"
      security_policy_id = "waf1_23456"
      rate_policy_id     = "54321"
      ipv4_action        = "deny"
      ipv6_action        = "deny"
    }
    
  3. Run terraform validate to verify your syntax and then run terraform apply to apply your rate policy to your security policy.

Your rate policies and their actions are now set. Continue to add other security objects or hostnames to your configuration and then activate or reactivate your configuration to apply your rate policy changes on a network.

Set up match targets

Match targets determine which security policy should apply to an API, hostname, or path based on the conditions you set.

To see a complete list of options and their settings, see Match targets.

Update existing match targets

  1. Locate the security directory in the configuration modules you received from the CLI export.

  2. Open the match targets configuration file, make save your changes, and then upload them to your configuration using the match target resource with a pointer to the file.

    resource "akamai_appsec_match_target" "my-match-targets" {
      config_id    = "12345"
      match_target = file("${path.module}/match_targets.tf")
    }
    
  3. Run terraform validate to verify your syntax and then run terraform apply to apply your match targets to your security policy.

  4. Reactivate your configuration to apply your match target changes on a network.

New match targets

ūüĎć

Tip

Have a look at our example if you need help or you're not sure where to start.

  1. Specify match targets properties and property values in a JSON file.

  2. Use the match target resource to add them based on those values.

    resource "akamai_appsec_match_target" "my-match-targets" {
      config_id    = "12345"
      match_target = file("${path.module}/match_targets.tf")
    }
    
  3. Run terraform validate to verify your syntax and then run terraform apply to apply your match targets to your security policy.

Your match targets are now set. Activate or reactivate your configuration to apply your match targets on a network.

New from existing

  1. Locate the security directory in the configuration modules you received from the CLI export.

  2. If these match targets work as is, add them to a configuration. If you need to make changes, see Update existing match targets.

    resource "akamai_appsec_match_target" "my-match-targets" {
      config_id    = "12345"
      match_target = file("${path.module}/match_targets.tf")
    }
    
  3. Run terraform validate to verify your syntax and then run terraform apply to apply your match targets to your security policy.

Your match targets are now set. If needed, add hostnames to your configuration. Otherwise, activate or reactivate your configuration to apply your match target changes on a network.

Define firewall rules

ūüďė

We've sunset Kona Site Defender, Advanced Attack Groups, and Kona Site Rules. Firewall rules are now managed by our Adaptive Security Engine.

  • A reactivation of your security policy will automatically upgrade you to our new Adaptive Security Engine.
  • If you were using Kona Site Rules, you still have the opportunity to review those individually on upgrade.

Our firewall protection rules are a collection of common vulnerability and exposure rules to help protect your website from specific attacks. Each of the rules in is designed to look for a specific exploit and take action anytime the rule is triggered. We predefine the rule actions, but you can update them based on your business needs.

Rule actionDescription
alertRecord information about the request.
denyBlock a request.
denycustom{custom-deny-id}Blocks a request based on your custom specifications.
noneNo action taken for a request.

Get rules

To get all of your firewall rules, pass your config and security policy IDs in the rules data source. To get details for a specific rule, add in the rule_id argument with a rule's ID as the value.

data "akamai_appsec_rules" "my-rules" {
  config_id          = "12345"
  security_policy_id = "waf1_23456"
}
output "rules-and-actions" {
  value = data.akamai_appsec_rules.my-rules.rule_action
}
+------------------------------------------------------------------+
| ASERulesWithConditionExceptionDS                                 |
+---------+--------+------------+------------+---------------------+
| ID      | ACTION | CONDITIONS | EXCEPTIONS | ADVANCED EXCEPTIONS |
+---------+--------+------------+------------+---------------------+
| 950002  | alert  | False      | False      | False               |
| 950006  | alert  | False      | False      | False               |
| 950007  | alert  | False      | False      | False               |
| 950011  | alert  | False      | False      | False               |
...
// rule_id was added with a value of 950002 in the data source request
+-----------------------------------------------------------------+
| ASERulesWithConditionExceptionDS                                |
+--------+--------+------------+------------+---------------------+
| ID     | ACTION | CONDITIONS | EXCEPTIONS | ADVANCED EXCEPTIONS |
+--------+--------+------------+------------+---------------------+
| 950002 | alert  | False      | False      | False               |
+--------+--------+------------+------------+---------------------+

Update rules

To change the action assigned to a single firewall rule use a rule's ID in the rule resource with the change to the action. Add in the condition_exceptions argument and pass a JSON file with any exceptions.

resource "akamai_appsec_rule" "rules" {
  config_id           = "12345"
  security_policy_id  = "waf1_23456"
  rule_id             = "987654"
  rule_action         = "deny"
  condition_exception = file("${path.module}/condition_exception.json")
}

Rule groups let you update the rule action for a group of rules that work toward the same type of protection. When updating a rule group, pass the group name and the action you need in the attack group resource.

Attack groupProtections againstArgument value
Command InjectionThe execution of arbitrary commands on your host OS.CMDI
Cross Site ScriptingThe injection of malicious scripts into your site.XXS
Remote File InclusionMalicious external files later run on your site.RFI
SQL InjectionMalicious SQL code that manipulates your database(s) and accesses and/or exposes your private information.SQL
Total OutboundThe gathering, collection, and theft of information through querying and passive observation.OUT
Web Attack ToolDoS/DDoS, DNS server hijacking, DNS amplification, directory traversal, Man-in-the-Middle (MITM)/sniffing, and phishing among other similar compromises.TOOL
Web Platform AttackAttacks against your platforms not categorized in other attack groups.PLATFORM
Web Policy ViolationViolations of your acceptable use policy.
Web Protocol AttackExploitation of any weaknesses in web protocol by which a client and server are communicating to perform unexpected actions.PROTOCOL
resource "akamai_appsec_attack_group" "my-attack-group" {
  config_id           = "12345"
  security_policy_id  = "waf1_23456"
  attack_group        = "SQL"
  attack_group_action = "deny"
}

Run terraform validate to verify your syntax when you'e done making your updates, and then run terraform apply to apply your rule changes to your security policy.

Add hostnames

Security configurations only protect the hosts you call out. This allows you to fine-tune the protection types and levels for your websites by configuring different sets of protections for different hosts.

Create a security configuration for each set of protections you want to apply and respectively add available, or contracted, hostnames.

  1. Get a list of your available hosts.

    data "akamai_appsec_selectable_hostnames" "my-available-hosts" {
      contract_id = "C-0N7RAC7"
      group_id    = "12345"
    }
    
    output "my-available-hosts" {
      value = data.akamai_appsec_selectable_hostnames.my-available-hosts
    }
    
  2. Add hosts to your configuration. You can specify each host individually in a comma-separated JSON array or use wildcard characters.

    ūüöß

    • There can be only one configuration per host.
    • If you get an access to host error, the host is out of contract.
    resource "akamai_appsec_selected_hostnames" "my-selected-hosts" {
      config_id = "12345"
      hostnames = ["host1.example.com", "host2.example.com", "host3.example.com", "host4.example.com"]
      mode      = "APPEND"
    }
    
    resource "akamai_appsec_selected_hostnames" "my-selected-hosts" {
      config_id = "12345"
      hostnames = ["*.example.com"]
      mode      = "APPEND"
    }
    
  3. Run terraform validate to verify your syntax and then run terraform apply to add hostnames to your configuration.

With hostnames added, your configuration is ready to activate or reactivate.

Activate configuration

You must activate any new configuration or reactivate a configuration to which you've made updates to apply your changes to a network.

  1. Provide your security configuration's ID, a network designation, version, and note in the activation resource. Use the note argument to let someone other than you know why a configuration was made or what changes were made during versioning.

    resource "akamai_appsec_activations" "my-activation" {
      config_id           = "12345"
      network             = "STAGING"
      note                = "This configuration was activated for testing purposes only."
      notification_emails = ["jsmith@example.com"]
      version             = "latest"
    }
    
  2. Run terraform validate to verify your syntax and then run terraform apply to activate your security configuration on the staging or production network.

Your security configuration is ready to analyze and respond to user requests.