为了与 CloudFront 分发进行交互,您必须指定区域 US East (N. Virginia):
CLI - 在使用 CloudFront 范围时指定区域 US East:--scope CLOUDFRONT --region=us-east-1。
API 和 SDK - 对于所有调用,使用区域端点 us-east-1。
为了与区域服务进行交互,您应指定区域:
以区域欧洲(西班牙)为例:--scope REGIONAL --region=eu-south-2
# Web ACLs ### Retrieve a list of web access control lists (Web ACLs) available in your AWS accountawswafv2list-web-acls--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## Retrieve details about the specified Web ACLawswafv2get-web-acl--name<value>--id<value>--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## Retrieve a list of resources associated with a specific web access control list (Web ACL)aws wafv2 list-resources-for-web-acl --web-acl-arn <value> # Additional permissions needed depending on the protected resource type: cognito-idp:ListResourcesForWebACL, ec2:DescribeVerifiedAccessInstanceWebAclAssociations or apprunner:ListAssociatedServicesForWebAcl
## Retrieve the Web ACL associated with the specified AWS resourceaws wafv2 get-web-acl-for-resource --resource-arn <arn> # Additional permissions needed depending on the protected resource type: cognito-idp:GetWebACLForResource, ec2:GetVerifiedAccessInstanceWebAcl, wafv2:GetWebACL or apprunner:DescribeWebAclForService
# Rule groups ### List of the rule groups available in your AWS accountawswafv2list-rule-groups--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## Retrieve the details of a specific rule groupaws wafv2 get-rule-group [--name <value>] [--id <value>] [--arn <value>] [--scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>]
## Retrieve the IAM policy attached to the specified rule groupaws wafv2 get-permission-policy --resource-arn <rule-group-arn> # Just the owner of the Rule Group can do this operation
# Managed rule groups (by AWS or by a third-party) ### List the managed rule groups that are availableawswafv2list-available-managed-rule-groups--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## List the available versions of the specified managed rule groupaws wafv2 list-available-managed-rule-group-versions --vendor-name <value> --name <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
## Retrieve high-level information about a specific managed rule groupaws wafv2 describe-managed-rule-group --vendor-name <value> --name <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--version-name <value>]
## Retrieve high-level information about all managed rule groupsawswafv2describe-all-managed-products--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## Retrieve high-level information about all managed rule groups from a specific vendoraws wafv2 describe-managed-products-by-vendor --vendor-name <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
# IP sets ### List the IP sets that are available in your AWS accountawswafv2list-ip-sets--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## Retrieve the specific IP setawswafv2get-ip-set--name<value>--id<value>--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## Retrieve the keys that are currently being managed by a rate-based rule.awswafv2get-rate-based-statement-managed-keys--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>\--web-acl-name<value>--web-acl-id<value>--rule-name<value> [--rule-group-rule-name <value>]# Regex pattern sets ### List all the regex pattern sets that you manageawswafv2list-regex-pattern-sets--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## Retrieves the specified regex pattern setsaws wafv2 get-regex-pattern-set --name <value> --id <value> --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1>
# API Keys ### List API keys for the specified scopeawswafv2list-api-keys--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>## Retrieve decrypted API keyawswafv2get-decrypted-api-key--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>--api-key<value># Logs ### List of logging configurations (storage location of the logs)aws wafv2 list-logging-configurations --scope <REGIONAL --region=<value> | CLOUDFRONT --region=us-east-1> [--log-scope <value>]
## Retrieve the logging configuration settings associated with a specific web ACLaws wafv2 get-logging-configuration --resource-arn <value> [--log-scope <CUSTOMER | SECURITY_LAKE>] [--log-type <value>]
# Miscelaneous ### Retrieve a list of the tags associated to the specified resourceawswafv2list-tags-for-resourceresource-arn<value>## Retrieve a sample of web requests that match a specified rule within a WebACL during a specified time rangeaws wafv2 get-sampled-requests --web-acl-arn <value> --rule-metric-name <value> --time-window <value> --max-items <1-500> --scope <value>
## Obtains the web ACL capacity unit (WCU) requirements for a specified scope and rulesetawswafv2check-capacity--scope<REGIONAL--region=<value>|CLOUDFRONT--region=us-east-1>--rules<value>## List of available releases for the AWS WAFv2 mobile SDKawswafv2list-mobile-sdk-releases--platform<IOS|ANDROID>## Retrieves information for the specified mobile SDK releaseawswafv2get-mobile-sdk-release--platform<value>--release-version<value>
Post Exploitation / Bypass
从攻击者的角度来看,这项服务可以帮助攻击者识别 WAF 保护和网络暴露,这可能帮助他攻陷其他网站。
然而,攻击者也可能对干扰此服务感兴趣,以便网站不受 WAF 保护。
在许多删除和更新操作中,必须提供 lock token。此令牌用于对资源进行并发控制,确保更改不会被多个用户或进程同时尝试更新同一资源而意外覆盖。为了获得此令牌,您可以对特定资源执行相应的 list 或 get 操作。