Cloud Armor helps you protect your Cloud de Confiance by S3NS deployments from multiple types of threats, including distributed denial-of-service (DDoS) attacks and application attacks like cross-site scripting (XSS) and SQL injection (SQLi). Cloud Armor features some automatic protections and some that you need to configure manually. This document provides a high-level overview of these features.
Security policies
Use Cloud Armor security policies to protect applications running behind a load balancer from distributed denial-of-service (DDoS) and other web-based attacks. Security policies can be configured manually, with configurable match conditions and actions in a security policy. Cloud Armor also features preconfigured security policies, which cover a variety of use cases. For more information, see Cloud Armor security policy overview.Rules language
Cloud Armor lets you define prioritized rules with configurable match conditions and actions in a security policy. A rule takes effect, meaning that the configured action is applied, if the rule is the highest priority rule whose attributes match the attributes of the incoming request. For more information, see Cloud Armor custom rules language reference.
Preconfigured WAF rules
Cloud Armor preconfigured WAF rules are complex web application firewall (WAF) rules with dozens of signatures that are compiled from open source industry standards. Each signature corresponds to an attack detection rule in the rule set. These rules are offered as-is. The rules allow Cloud Armor to evaluate dozens of distinct traffic signatures by referring to conveniently named rules, rather than requiring you to define each signature manually.
Cloud Armor preconfigured rules help protect your web applications and services from common attacks from the internet and help mitigate the OWASP Top 10 risks. The rule source is OWASP Core Rule Set 4.22.
These preconfigured rules can be tuned to disable noisy or otherwise unnecessary signatures. For more information, see Tuning Cloud Armor WAF rules.
How Cloud Armor works
Cloud Armor provides always-on protection from L3 and L4 volumetric and network protocol-based DDoS attacks, with automated inline mitigations in real time and with no latency impact. This protection is for applications or services behind load balancers. Cloud Armor is able to detect and mitigate network attacks in order to allow only well-formed requests through the load balancing proxies.
Cloud Armor can protect from L7 (Application layer) threats including L7 DDoS like HTTP Floods, but this protection requires a user-configured security policy with proactive rules in place. The security policies enforce custom L7 filtering policies, including pre-configured WAF rules that mitigate OWASP top 10 web application vulnerability risks. You can attach security policies to the backend services of Cloud Armor provides always-on protection from Layer 3 and Layer 4 (L3 and L4) volumetric and network protocol-based DDoS attacks, with automated inline mitigations in real time and with no latency impact. This protection is for applications or services behind load balancers. Cloud Armor is able to detect and mitigate network attacks in order to allow only well-formed requests through the load balancing proxies.
Cloud Armor can protect from L7 (Application layer) threats including L7 DDoS like HTTP Floods, but this protection requires a user-configured security policy with proactive rules in place. The security policies enforce custom L7 filtering policies, including pre-configured WAF rules that mitigate OWASP top 10 web application vulnerability risks. You can attach security policies to the backend services of regional external Application Load Balancers.
Cloud Armor security policies enable you to allow or deny access to your deployment at the Cloud de Confiance edge, as close as possible to the source of incoming traffic. This prevents unwelcome traffic from consuming resources or entering your Virtual Private Cloud (VPC) networks.
You can use some or all of these features to protect your application. You can use security policies to match against known conditions, and create WAF rules to protect against common attacks like those found in the ModSecurity Core Rule Set 4.22.