eli-537 enabling WAF blocks

Author: eddalmond1

infrastructure/stacks/api-layer/waf.tf

@@ -1,6 +1,5 @@
 # WAF Web ACL for API Gateway
 # Only deployed in production environment for cost optimization
-# Initially all rules are in COUNT mode to monitor traffic patterns
 
 resource "aws_wafv2_web_acl" "api_gateway" {
   count       = local.waf_enabled ? 1 : 0
@@ -19,7 +18,7 @@ resource "aws_wafv2_web_acl" "api_gateway" {
     priority = 10
 
     override_action {
-      count {} # Start in count mode - change to none {} when ready to block
+      none {}
     }
 
     statement {
@@ -43,13 +42,21 @@ resource "aws_wafv2_web_acl" "api_gateway" {
     priority = 20
 
     override_action {
-      count {} # Start in count mode - change to none {} when ready to block
+      none {}
     }
 
     statement {
       managed_rule_group_statement {
         vendor_name = "AWS"
         name        = "AWSManagedRulesCommonRuleSet"
+
+        # Override NoUserAgent_Header to count only - APIM health checks send no User-Agent
+        rule_action_override {
+          name = "NoUserAgent_Header"
+          action_to_use {
+            count {}
+          }
+        }
       }
     }
 
@@ -93,7 +100,7 @@ resource "aws_wafv2_web_acl" "api_gateway" {
     priority = 40
 
     action {
-      count {} # Start in count mode - change to block {} when ready
+      block {}
     }
 
     statement {
@@ -110,15 +117,15 @@ resource "aws_wafv2_web_acl" "api_gateway" {
     }
   }
 
-  # Rule 5: Geographic Monitoring Rule - Monitor non-UK traffic (COUNT only)
-  # NHS-specific requirement: initially monitor requests originating from outside GB
-  # This rule COUNTS any request whose geo country code is not GB (does not block)
+  # Rule 5: Geographic Block Rule - Block non-UK traffic
+  # NHS-specific requirement: block requests originating from outside GB
+  # Defence-in-depth against stolen mTLS certificates being used from outside the UK
   rule {
-    name     = "MonitorNonUK"
+    name     = "BlockNonUK"
     priority = 50
 
     action {
-      count {}
+      block {}
     }
 
     statement {
@@ -133,7 +140,7 @@ resource "aws_wafv2_web_acl" "api_gateway" {
 
     visibility_config {
       cloudwatch_metrics_enabled = true
-      metric_name                = "MonitorNonUK"
+      metric_name                = "BlockNonUK"
       sampled_requests_enabled   = true
     }
   }

infrastructure/stacks/api-layer/waf_alarms.tf

@@ -129,14 +129,14 @@ resource "aws_cloudwatch_metric_alarm" "waf_rate_limit_blocks" {
   )
 }
 
-# Alarm for non-UK rate limit violations
+# Alarm for blocked non-UK requests
 resource "aws_cloudwatch_metric_alarm" "waf_non_uk_counted" {
   count               = local.waf_enabled ? 1 : 0
-  alarm_name          = "WAF-NonUK-CountedRequests-${local.workspace}"
-  alarm_description   = "Alerts when non-UK requests are observed (COUNT mode) by geo rule"
+  alarm_name          = "WAF-NonUK-BlockedRequests-${local.workspace}"
+  alarm_description   = "Alerts when non-UK requests are blocked by geo rule - may indicate stolen mTLS cert use from outside UK"
   comparison_operator = "GreaterThanThreshold"
   evaluation_periods  = 2
-  metric_name         = "CountedRequests"
+  metric_name         = "BlockedRequests"
   namespace           = "AWS/WAFV2"
   period              = 300
   statistic           = "Sum"
@@ -145,7 +145,7 @@ resource "aws_cloudwatch_metric_alarm" "waf_non_uk_counted" {
 
   dimensions = {
     Region = var.default_aws_region
-    Rule   = "MonitorNonUK"
+    Rule   = "BlockNonUK"
     WebACL = aws_wafv2_web_acl.api_gateway[0].name
   }
 
@@ -154,8 +154,8 @@ resource "aws_cloudwatch_metric_alarm" "waf_non_uk_counted" {
   tags = merge(
     local.tags,
     {
-      Name        = "WAF-NonUK-CountedRequests"
-      Severity    = "medium"
+      Name        = "WAF-NonUK-BlockedRequests"
+      Severity    = "high"
       Environment = var.environment
     }
   )
@@ -192,19 +192,21 @@ resource "aws_cloudwatch_metric_alarm" "waf_all_requests_high" {
   )
 }
 
-# Alarm for monitoring counted requests (during initial count mode)
-# This helps identify if rules would block legitimate traffic
+# Alarm for counted requests (NoUserAgent_Header override)
+# The CRS NoUserAgent_Header sub-rule is kept in COUNT to allow the API proxy healthcheck.
+# This alarm alerts if count spikes unexpectedly, which could indicate rule misconfiguration
+# or unexpected traffic patterns hitting that override.
 resource "aws_cloudwatch_metric_alarm" "waf_counted_requests_monitoring" {
   count               = local.waf_enabled ? 1 : 0
   alarm_name          = "WAF-CountedRequests-Monitoring-${local.workspace}"
-  alarm_description   = "Monitors requests that would be blocked if rules were active (COUNT mode)"
+  alarm_description   = "Monitors counted requests - expected to be low volume (healthcheck NoUserAgent_Header override only)"
   comparison_operator = "GreaterThanThreshold"
   evaluation_periods  = 1
   metric_name         = "CountedRequests"
   namespace           = "AWS/WAFV2"
   period              = 300
   statistic           = "Sum"
-  threshold           = 100 # Alert if many requests would be blocked
+  threshold           = 100 # Alert if count spikes beyond normal healthcheck frequency
   treat_missing_data  = "notBreaching"
 
   dimensions = {
@@ -220,7 +222,7 @@ resource "aws_cloudwatch_metric_alarm" "waf_counted_requests_monitoring" {
       Name        = "WAF-CountedRequests-Monitoring"
       Severity    = "low"
       Environment = var.environment
-      Purpose     = "Initial monitoring during COUNT mode phase"
+      Purpose     = "Monitor NoUserAgent_Header count override for healthcheck proxy"
     }
   )
 }