ArcGIS with AWS WAFv2

Roger Groom & Scott Bennett-McLeish Posted 25 August 2021

Modis developed and continues to manage a fleet of ESRI ArcGIS geospatial servers for a commercial operator in the lands industry.

The Scenario

Modis developed and continues to manage a fleet of ESRI ArcGIS geospatial servers for a commercial operator in the lands industry.

The ArcGIS application servers in the customers platform are hosted inside private VPC subnets. exposed through a public internet-facing Application Load Balancer (ALB). Java services and end-user client JavaScript talk directly to services hosted on the ArcGIS servers. As such, there is a need for the ArcGIS servers to be publicly accessible.

ArcGIS servers have an administration facility exposed in the same way services are exposed. This is exposed at:

  • https://<hostname>/arcgis/manager
  • https://<hostname>/arcgis/admin

It was desirable to have those administration facilities inaccessible to the average user who legitimately has access to other ArcGIS services.

Modis architected, implemented and operates this service for its customer as a Managed Services Provider. This work was done in early 2021.

The Solution

An AWS WAFv2 was placed in front of the ArcGIS ALB to block the specific admin URLs. This was added by way of augmenting the existing CloudFormation template responsible for standing up the ALB and ArcGIS servers. The CloudFormation update was such that using conditions the implementation was environment specific.

The WAFv2 was enabled with the following rules:
Rule Type Action
ArcGisWafRuleBlockAdmin Custom Block
ArcGisWafRuleBlockManager Custom Block
AWSManagedRulesCommonRuleSet AWS Managed Count
AWSManagedRulesAdminProtectionRuleSet AWS Managed Count
AWSManagedRulesKnownBadInputsRuleSet AWS Managed Count
AWSManagedRulesWindowsRuleSet AWS Managed Count

While initially only the two custom rules were required, it made sense to add counts on a set of seemingly appropriate AWS Managed rules to identify if it is feasible to block these in addition. The functional requirements of the ArcGIS servers not being well understood it was not clear if blocking these immediately would cause customer experience issues. Future work will analyse the count results and attempt blocking appropriate managed rules in other lower (non-production) environments.

The Outcome

In Production, UAT and Test environments the administration pages are now inaccessible outside of the ArcGIS server itself.

Monitoring showed immediately that there were regular hits to the production ArcGIS administration pages. These regular hits continued for many weeks, then stopped and have not returned. The graph below from CloudWatch metrics illustrates this:

The graph from CloudWatch metrics illustrates regular hits have not returned

While it is unclear if the traffic was ‘legitimate’ or malicious no functionality has been impaired by the introduction of block rules, suggesting it is not legitimate traffic and so a positive outcome being blocked.

Monitoring of the Count metrics for AWS Managed Rules shows there is potential for further improvement.

The below illustrates a spike in counts for the AWS Managed ‘admin’ rule, a spike that does not correlate to the custom rules for ‘admin’ and ‘manager’. This warrants further analysis.

The graph illustrates a spike in counts for the AWS Managed ‘admin’ rule

About Modis

At Modis we connect people, technology and businesses to the opportunities they need to thrive in a rapidly advancing world. With 1,300+ technology professionals across six locations (Sydney, Melbourne, Brisbane, Adelaide, Canberra and Perth), we work with our clients to deliver solutions and talent to transform technology portfolios, streamline business functions, drive innovation or enhance organisational capability.

Find out how Modis can provide you with innovative AWS cloud based solutions and servicesModis has been an AWS Advanced Tier Partner since 2014. Modis' AWS Cloud Consulting services encompasses fundamentals of cyber security, fault tolerant digital system architecture, modernisation, traditional virtual machine or through to modern Serverless approaches, commercial off-the-shelf software operation to bespoke software development, delivered with high throughput, repeatable DevOps approaches to operations. With over half a decade of running critical authoritative government data sets that affects the lives of millions of citizens and the economies of the state, Modis has one of the most mature, experienced and recognised consulting service providers in the world. More importantly, we like to work very closely with our customers, not providing something to purchase, but taking a deep understanding of their business, and providing the recommendations and implementations to ensure a modern, efficient, reliable and secure environment for digital business systems.Contact us
Modis Australia | Animated map showing global locations
We operate around the world. Would you like to find out more about your local office?Find out about Modis