Platform Security Protections
Overview
Cloud.gov implements defense-in-depth security protections against malicious traffic, including Web Application Firewall (WAF) rules, rate limiting, and DDoS mitigation. These platform-level protections operate transparently to defend all customer applications while maintaining legitimate traffic flow. Understanding these protections helps agencies properly configure security testing and respond to potential false positives.
Prerequisites
- Understanding of common web application attacks (OWASP Top 10)
- Space Developer role for testing application behavior
- Familiarity with AWS WAF and CloudFront concepts
- Contact information for reporting false positives: support@cloud.gov
Process / Steps
1. Understand Protection Layers
Cloud.gov implements multiple security layers:
Layer 1: Web Application Firewall (WAF)
- AWS Managed rule sets for XSS, SQLi, and known exploits
- Custom rules for Log4j, path traversal, and fuzzing tools
- Automatic blocking of malicious patterns
Layer 2: Rate Limiting
- Request throttling to prevent abuse
- CHALLENGE actions for suspicious traffic
- Token-based verification for legitimate users
Layer 3: DDoS Protection
- AWS Shield Standard on all endpoints
- CloudFront with Shield Advanced for enhanced protection
- Automatic traffic scrubbing and filtering
2. Configure Application for WAF Compatibility
Customer Responsibility: Ensure your application:
- Handles CHALLENGE responses appropriately
- Implements proper error handling
- Logs security events for correlation
3. Handle CHALLENGE Responses
When rate limits trigger, legitimate users see:
-
Interstitial challenge page
-
Automatic redirect after verification
-
aws-waf-tokencookie for subsequent requests
If you suspect that your traffic is being improperly affected by these protections, please contact us at support@cloud.gov.
4. Enable CloudFront CDN (Optional)
For enhanced protection:
cf create-service external-domain cloudfront-cdn my-cdn
cf bind-service your-app my-cdn
Benefits:
- Additional rate limiting
- Shield Advanced DDoS protection
- Global edge caching
5. Monitor Security Events
Track potential security impacts:
# Check application logs for blocked requests
cf logs your-app --recent | grep "403"
# Monitor application availability
cf app your-app
Common Errors & Fixes
False Positive WAF Blocks
- Issue: Legitimate traffic blocked by WAF rules
- Fix: Contact support@cloud.gov with request details and timestamps
CHALLENGE Token Warnings
- Issue: Security scanner flags
aws-waf-tokenas vulnerability - Fix: Mark as false positive - this is expected platform behavior
Rate Limit During Testing
- Issue: Penetration tests trigger rate limits
- Fix: Notify support@cloud.gov before testing (see penetration test policy
Missing Security Headers
- Issue: CHALLENGE responses lack application headers
- Fix: Expected behavior - AWS handles CHALLENGE before reaching your app
FAQs
Q: Can I disable WAF rules for my application? A: No. WAF rules protect the entire platform. Report false positives to support@cloud.gov for rule tuning.
Q: How do I test my application's security? A: Follow the penetration test notification process. Never attempt to bypass platform protections.
Q: What should I tell my security scanner vendor?
A: Inform them that aws-waf-token cookies and CHALLENGE responses are legitimate platform security features, not vulnerabilities.
Q: Does Cloud.gov protection replace my application security? A: No. Platform protections complement but don't replace secure coding, input validation, and application-level controls.