Managing Cross-Account Private Origins in AWS WAF Classic to WAF v2 Migration

Introduction

When migrating from AWS WAF Classic to WAF v2, organizations with multi-account architectures face unique challenges. Protecting resources across different AWS accounts requires careful planning and execution to maintain security posture throughout the migration process. This article dives deep into the specific steps and considerations for handling private origins across AWS accounts during your WAF migration journey.

Understanding Cross-Account WAF Architecture

In a multi-account AWS environment, you typically have:

Security Account: Houses your WAF configurations and centralized security controls
Application Accounts: Contain your private origins (ALBs, API Gateways, CloudFront distributions)

This separation follows AWS best practices for security but adds complexity when migrating WAF configurations. Let's explore how to navigate this successfully.

Preparing for Cross-Account Migration

Step 1: Inventory Cross-Account Resources

Begin by documenting all cross-account relationships:

Create a detailed mapping of:

Which WAF Classic Web ACLs protect resources in which accounts
The IAM roles and permissions enabling these cross-account relationships
Any custom integrations or automations that manage these relationships

Step 2: Design Your Cross-Account WAF v2 Architecture

WAF v2 supports cross-account resource protection, but the implementation differs from WAF Classic. Design your target architecture considering:

Will you maintain the same security account structure?
Do you need to adjust IAM permissions for the new WAF v2 APIs?
How will you handle the transition period when both WAF versions are active?

Implementing Cross-Account WAF v2 Protection

Step 1: Create IAM Roles for Cross-Account Access

In each application account, create a role that your security account can assume:

For more granular permissions, create a custom policy:

Step 2: Create WAF v2 Web ACLs in Security Account

In your security account, create the WAF v2 Web ACLs that will protect resources across accounts:

Step 3: Associate WAF v2 Web ACLs with Cross-Account Resources

Now, assume the role in the application account and associate the WAF v2 Web ACL:

Handling Different Resource Types Across Accounts

Application Load Balancers (ALBs)

For ALBs in different accounts:

1. Security Group Configuration:

2. Health Check Verification:

Ensure WAF v2 doesn't interfere with ALB health checks by testing thoroughly before full deployment.

API Gateway

For API Gateway resources:

CloudFront with Cross-Account Origins

For CloudFront distributions with origins in different accounts:

1. Origin Access Identity (OAI) Setup:

2. S3 Bucket Policy Update (if using S3 origins):

3. CloudFront WAF Association:

Testing Cross-Account WAF Protection

Step 1: Verify Associations

Confirm that your WAF v2 Web ACLs are correctly associated with resources across accounts:

Step 2: Implement Count Mode Testing

Before enforcing blocking rules, use Count mode to validate behavior:

Step 3: Cross-Account Logging and Monitoring

Set up centralized logging to monitor WAF behavior across accounts:

1. Create a Kinesis Firehose in Security Account:

2. Enable WAF Logging:

3. Create CloudWatch Dashboard:

Develop a dashboard that aggregates metrics from WAF across all accounts.

Rollback Strategy for Cross-Account Setup

Step 1: Document Current State

Before making changes, document the current state of all cross-account associations:

Step 2: Create Rollback Scripts

Prepare scripts that can quickly revert to WAF Classic if needed:

Step 3: Test Rollback Procedure

Validate your rollback procedure in a test environment before full deployment.

Automation for Cross-Account WAF Management

To streamline ongoing management, consider implementing automation:

Step 1: Create a Central Management Lambda

Deploy a Lambda function in your security account that can manage WAF across accounts:

Step 2: Create CloudFormation StackSets

Use CloudFormation StackSets to deploy consistent IAM roles across all accounts:

Advanced Considerations

Cross-Account Logging Aggregation

For comprehensive visibility:

Create a central logging account for all WAF logs
Implement log aggregation using Kinesis Data Firehose
Set up cross-account CloudWatch metrics using CloudWatch cross-account observability

Handling IP Sets and Regex Pattern Sets

For IP sets used across accounts:

Automating Rule Updates

Implement CI/CD pipelines that can update WAF rules across accounts:

Store rule configurations in a version-controlled repository
Use AWS CodePipeline to automate deployments
Implement approval workflows for rule changes

Conclusion

Successfully migrating WAF Classic to WAF v2 in a cross-account environment requires careful planning, precise execution, and thorough testing. By following the steps outlined in this guide, you can maintain robust security controls throughout the migration process while taking advantage of the enhanced capabilities offered by WAF v2.

The cross-account architecture not only provides better security through separation of concerns but also enables centralized management of web application security across your entire AWS organization. With proper implementation of the IAM roles, testing procedures, and monitoring solutions described here, you can achieve a seamless migration while enhancing your security posture.

Have you implemented a cross-account WAF architecture? Share your experiences and insights in the comments below!

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Site Terms, Privacy, and more.