Configure AppSec
Security configurations function as containers for other application security objects like security policies, rate policies, reputation profiles, or firewall rules. These can cover your entire business or you can have multiple security configurations for your each of business units, domains, and geographic units.
What you'll do
Construct a security configuration defined security policies and the match criteria that trigger action to control how edge servers respond to various kinds of requests to your site and its content.
Create or get configuration
To set up an Akamai security configuration, create a new config and add your own security objects, import an existing config, or use our editable example.
Create new
For new configurations, use the default security configuration in our Terraform repository as a starting point and make edits or add security policies.
Get existing
To get an existing security configuration, use the configuration data source and our CLI.
-
Get a list of all your security configurations. Use the
output_text
option to get back a table that provides the ID, name, version, and active network for each of your configurations.data "akamai_appsec_configuration" "my-configurations" { } output "configuration-list" { value = data.akamai_appsec_configuration.my-configurations.output_text }
Configurations | CONFIG_ID | NAME | LATEST_VERSION | VERSION_ACTIVE_IN_STAGING |VERSION_ACTIVE_IN_PRODUCTION | +-----------+-----------+-----------+-----------+-----------+ | 12345 | Config 1 | 32 | 29 | 28 | | 23456 | Config 2 | 6 | 6 | 6 | | 34567 | Config 3 | 9 | 9 | 8 | | 45678 | Config 4 | 4 | 0 | 0 |
-
Use the name of the configuration you want as the value for the
export-appsec
argument of theakamai
CLI command.akamai terraform --edgerc {location-of-your-edgerc-file} --section {section-of-edgerc-to-use} export-appsec {"configuration-name"}
The response is your entire application security configuration with each of your security objects separated into respective Terraform configuration files.
-
Run the included import script to populate your Terraform state. This prevents Terraform from attempting to recreate your assets.
Associate your configuration with hostnames, make changes, or add additional security objects.
Build security policies
Security policies play a key role in identifying and handling website requests. If a request is flagged, the security policy associated with the flag steps in and provides a more detailed analysis on the request and applies protections like rate limiting and reputation controls to help verify the legitimacy and the safety of the request.
- A single security configuration can have multiple security policies.
- Multiple security policies give you the flexibility to get granular with your protection settings, but multiple security policies also increase the time it takes to analyze and process each request.
We recommend keeping the number of security policies to what's necessary so that your website is both efficient and responsive.
New default policy
-
Pass your configuration's ID, a unique name, and a meaningful, four character value for the policy prefix. This prefix adds contextual identification to the autogenerated number assigned to your policy.
resource "akamai_appsec_security_policy" "my-new-policy" { config_id = "12345" security_policy_name = "New firewall policy" security_policy_prefix = "waf1" }
-
Run
terraform validate
to verify your syntax and then runterraform apply
to create the policy. -
Get and review your configuration and its settings using the configuration's name as the value for the
export-appsec
argument of theakamai
CLI command.akamai terraform --edgerc {location-of-your-edgerc-file} --section {section-of-edgerc-to-use} export-appsec {"configuration-name"}
-
If the configuration is good as is, run the included import script to populate your Terraform state. This prevents Terraform from attempting to recreate your assets and then add hostnames.
See Make updates if you need to make changes.
New disabled policy
-
Add in the
default_settings
argument with a value offalse
in the security policy resource to create a policy with all protections disabled.resource "akamai_appsec_security_policy" "my-new-policy" { config_id = "12345" security_policy_name = "New firewall policy" security_policy_prefix = "waf1" default_settings = false }
-
Run
terraform validate
to verify your syntax and then runterraform apply
to create the policy. -
Use your configuration's name as the value for the
export-appsec
argument of theakamai
CLI command to get your configuration.akamai terraform --edgerc {location-of-your-edgerc-file} --section {section-of-edgerc-to-use} export-appsec {configuration-name}
-
Run the included import script to populate your Terraform state. This prevents Terraform from attempting to recreate your assets.
New policy from existing
-
Use the
create_from_security_policy_id
argument in the security policy resource with the ID of the policy you want to clone.resource "akamai_appsec_security_policy" "my-new-policy" { config_id = "12345" security_policy_name = "New firewall policy" security_policy_prefix = "waf2" create_from_security_policy_id = "waf1_23456" }
-
Run
terraform validate
to verify your syntax and then runterraform apply
to add your security policy to your configuration. -
If the configuration is good as is, add hostnames. See Make updates if you need to make changes.
Make updates
You can make larger sets of updates by editing the configuration files you received from the CLI export and using a pointer to the file in its respective resource.
For smaller, isolated updates, enter your updates directly in a resource's argument.
Reactivate your configuration to apply your security policy changes on a network.
Add Rate policies
When your servers receive too many requests at one time, their resources become overwhelmed and your site can fail. Rate policies help by setting limits on the number of requests your server receives over a given time interval.
Configure your rate policies to trigger as needed. To see a complete list of options and their settings, see Rate policies.
Update an existing policy
-
Locate the security directory in the configuration modules you received from the CLI export.
-
Open the rate policy configuration file, make save your changes, and then upload them to your configuration using the rate policy resource with a pointer to the file.
resource "akamai_appsec_rate_policy" "my-rate-policy" { config_id = "12345" rate_policy = file("${path.module}/rate_policy.tf") }
-
Run
terraform validate
to verify your syntax and then runterraform apply
to apply your rate policy to your security policy. -
Reactivate your configuration to apply your rate policy changes on a network.
New policy
Tip
Have a look at our example if you need help or you're not sure where to start.
-
Specify rate policy properties and property values in a JSON file.
-
Use the rate policy resource to create a new policy based on those values.
resource "akamai_appsec_rate_policy" "my-new-rate-policy" { config_id = "12345" rate_policy = file("${path.module}/rate_policy.json") }
-
Assign actions to your policy for both IPv4 and IPv6. Without these, your rate policy will fail.
resource "akamai_appsec_rate_policy_action" "my-policy-action" { config_id = "12345" security_policy_id = "waf1_23456" rate_policy_id = "54321" ipv4_action = "deny" ipv6_action = "deny" }
-
Run
terraform validate
to verify your syntax and then runterraform apply
to apply your rate policy to your security policy.
Your rate policies and their actions are now set. Continue to add other security objects or hostnames to your configuration and then activate or reactivate your configuration to apply your rate policy changes on a network.
New from existing
-
Locate the security directory in the configuration modules you received from the CLI export.
-
If the rate policy and its actions work as is, add these to a configuration. See Update an existing policy if you need to make changes.
resource "akamai_appsec_rate_policy" "my-new-rate-policy" { config_id = "12345" rate_policy = file("${path.module}/rate_policy.tf") } resource "akamai_appsec_rate_policy_action" "my-policy-action" { config_id = "12345" security_policy_id = "waf1_23456" rate_policy_id = "54321" ipv4_action = "deny" ipv6_action = "deny" }
-
Run
terraform validate
to verify your syntax and then runterraform apply
to apply your rate policy to your security policy.
Your rate policies and their actions are now set. Continue to add other security objects or hostnames to your configuration and then activate or reactivate your configuration to apply your rate policy changes on a network.
Set up match targets
Match targets determine which security policy should apply to an API, hostname, or path based on the conditions you set.
To see a complete list of options and their settings, see Match targets.
Update existing match targets
-
Locate the security directory in the configuration modules you received from the CLI export.
-
Open the match targets configuration file, make save your changes, and then upload them to your configuration using the match target resource with a pointer to the file.
resource "akamai_appsec_match_target" "my-match-targets" { config_id = "12345" match_target = file("${path.module}/match_targets.tf") }
-
Run
terraform validate
to verify your syntax and then runterraform apply
to apply your match targets to your security policy. -
Reactivate your configuration to apply your match target changes on a network.
New match targets
Tip
Have a look at our example if you need help or you're not sure where to start.
-
Specify match targets properties and property values in a JSON file.
-
Use the match target resource to add them based on those values.
resource "akamai_appsec_match_target" "my-match-targets" { config_id = "12345" match_target = file("${path.module}/match_targets.tf") }
-
Run
terraform validate
to verify your syntax and then runterraform apply
to apply your match targets to your security policy.
Your match targets are now set. Activate or reactivate your configuration to apply your match targets on a network.
New from existing
-
Locate the security directory in the configuration modules you received from the CLI export.
-
If these match targets work as is, add them to a configuration. If you need to make changes, see Update existing match targets.
resource "akamai_appsec_match_target" "my-match-targets" { config_id = "12345" match_target = file("${path.module}/match_targets.tf") }
-
Run
terraform validate
to verify your syntax and then runterraform apply
to apply your match targets to your security policy.
Your match targets are now set. If needed, add hostnames to your configuration. Otherwise, activate or reactivate your configuration to apply your match target changes on a network.
Define firewall rules
We've sunset Kona Site Defender, Advanced Attack Groups, and Kona Site Rules. Firewall rules are now managed by our Adaptive Security Engine.
- A reactivation of your security policy will automatically upgrade you to our new Adaptive Security Engine.
- If you were using Kona Site Rules, you still have the opportunity to review those individually on upgrade.
Our firewall protection rules are a collection of common vulnerability and exposure rules to help protect your website from specific attacks. Each of the rules in is designed to look for a specific exploit and take action anytime the rule is triggered. We predefine the rule actions, but you can update them based on your business needs.
Rule action | Description |
---|---|
alert | Record information about the request. |
deny | Block a request. |
denycustom{custom-deny-id} | Blocks a request based on your custom specifications. |
none | No action taken for a request. |
Get rules
To get all of your firewall rules, pass your config and security policy IDs in the rules data source. To get details for a specific rule, add in the rule_id
argument with a rule's ID as the value.
data "akamai_appsec_rules" "my-rules" {
config_id = "12345"
security_policy_id = "waf1_23456"
}
output "rules-and-actions" {
value = data.akamai_appsec_rules.my-rules.rule_action
}
+------------------------------------------------------------------+
| ASERulesWithConditionExceptionDS |
+---------+--------+------------+------------+---------------------+
| ID | ACTION | CONDITIONS | EXCEPTIONS | ADVANCED EXCEPTIONS |
+---------+--------+------------+------------+---------------------+
| 950002 | alert | False | False | False |
| 950006 | alert | False | False | False |
| 950007 | alert | False | False | False |
| 950011 | alert | False | False | False |
...
// rule_id was added with a value of 950002 in the data source request
+-----------------------------------------------------------------+
| ASERulesWithConditionExceptionDS |
+--------+--------+------------+------------+---------------------+
| ID | ACTION | CONDITIONS | EXCEPTIONS | ADVANCED EXCEPTIONS |
+--------+--------+------------+------------+---------------------+
| 950002 | alert | False | False | False |
+--------+--------+------------+------------+---------------------+
Update rules
To change the action assigned to a single firewall rule use a rule's ID in the rule resource with the change to the action. Add in the condition_exceptions
argument and pass a JSON file with any exceptions.
resource "akamai_appsec_rule" "rules" {
config_id = "12345"
security_policy_id = "waf1_23456"
rule_id = "987654"
rule_action = "deny"
condition_exception = file("${path.module}/condition_exception.json")
}
Rule groups let you update the rule action for a group of rules that work toward the same type of protection. When updating a rule group, pass the group name and the action you need in the attack group resource.
Attack group | Protections against | Argument value |
---|---|---|
Command Injection | The execution of arbitrary commands on your host OS. | CMDI |
Cross Site Scripting | The injection of malicious scripts into your site. | XXS |
Remote File Inclusion | Malicious external files later run on your site. | RFI |
SQL Injection | Malicious SQL code that manipulates your database(s) and accesses and/or exposes your private information. | SQL |
Total Outbound | The gathering, collection, and theft of information through querying and passive observation. | OUT |
Web Attack Tool | DoS/DDoS, DNS server hijacking, DNS amplification, directory traversal, Man-in-the-Middle (MITM)/sniffing, and phishing among other similar compromises. | TOOL |
Web Platform Attack | Attacks against your platforms not categorized in other attack groups. | PLATFORM |
Web Policy Violation | Violations of your acceptable use policy. | |
Web Protocol Attack | Exploitation of any weaknesses in web protocol by which a client and server are communicating to perform unexpected actions. | PROTOCOL |
resource "akamai_appsec_attack_group" "my-attack-group" {
config_id = "12345"
security_policy_id = "waf1_23456"
attack_group = "SQL"
attack_group_action = "deny"
}
Run terraform validate
to verify your syntax when you'e done making your updates, and then run terraform apply
to apply your rule changes to your security policy.
Add hostnames
Security configurations only protect the hosts you call out. This allows you to fine-tune the protection types and levels for your websites by configuring different sets of protections for different hosts.
Create a security configuration for each set of protections you want to apply and respectively add available, or contracted, hostnames.
-
Get a list of your available hosts.
data "akamai_appsec_selectable_hostnames" "my-available-hosts" { contract_id = "C-0N7RAC7" group_id = "12345" } output "my-available-hosts" { value = data.akamai_appsec_selectable_hostnames.my-available-hosts }
-
Add hosts to your configuration. You can specify each host individually in a comma-separated JSON array or use wildcard characters.
- There can be only one configuration per host.
- If you get an access to host error, the host is out of contract.
resource "akamai_appsec_selected_hostnames" "my-selected-hosts" { config_id = "12345" hostnames = ["host1.example.com", "host2.example.com", "host3.example.com", "host4.example.com"] mode = "APPEND" }
resource "akamai_appsec_selected_hostnames" "my-selected-hosts" { config_id = "12345" hostnames = ["*.example.com"] mode = "APPEND" }
-
Run
terraform validate
to verify your syntax and then runterraform apply
to add hostnames to your configuration.
With hostnames added, your configuration is ready to activate or reactivate.
Activate configuration
You must activate any new configuration or reactivate a configuration to which you've made updates to apply your changes to a network.
-
Provide your security configuration's ID, a network designation, version, and note in the activation resource. Use the note argument to let someone other than you know why a configuration was made or what changes were made during versioning.
resource "akamai_appsec_activations" "my-activation" { config_id = "12345" network = "STAGING" note = "This configuration was activated for testing purposes only." notification_emails = ["jsmith@example.com"] version = "latest" }
-
Run
terraform validate
to verify your syntax and then runterraform apply
to activate your security configuration on the staging or production network.
Your security configuration is ready to analyze and respond to user requests.
Updated 10 months ago