Overview - Protecting AEM websites
Learn how to protect your AEM websites from Denial of Service (DoS), Distributed Denial of Service (DDoS), malicious traffic and sophisticated attacks using traffic filter rules, including its subcategory of Web Application Firewall (WAF) rules in AEM as a Cloud Service.
You also learn about the differences between standard traffic filter and WAF traffic filter rules, when to use them, and how to get started with Adobe-recommended rules.
Introduction to traffic security in AEM as a Cloud Service
AEM as a Cloud Service leverages an integrated CDN layer to protect and optimize the delivery of your website. One of the most critical components of the CDN layer is the ability to define and enforce traffic rules. These rules act as a protective shield to help secure your site from abuse, misuse, and attacks—without sacrificing performance.
Traffic security is essential to maintain uptime, protect sensitive data, and ensure a seamless experience for legitimate users. AEM provides two categories of security rules:
- Standard traffic filter rules
- Web Application Firewall (WAF) traffic filter rules
The rule sets help customers prevent common and sophisticated web threats, reduce noise from malicious or misbehaving clients, and improve observability through request logging, blocking and pattern detection.
Difference between standard and WAF traffic filter rules
log mode, then move to block modeblock mode for ATTACK-FROM-BAD-IP WAF Flag and log mode for ATTACK WAF Flag, then move to block mode for bothwafFlags and deployed via Cloud Manager Config PipelineThe standard traffic filter rules are useful for enforcing business-specific policies, such as rate limits or blocking specific regions, as well as blocking traffic based on request properties and headers such as IP address, path or user agent.
The WAF traffic filter rules, on the other hand, provide comprehensive proactive protection for known web exploits and attack vectors, and have advanced intelligence to limit false positives (i.e., blocking legitimate traffic).
To define both types of rules, you use the YAML syntax, see Traffic Filter Rules Syntax for more details.
When and why to use them
Use standard traffic filter rules when:
- You want to apply organization-specific limits, like IP rate throttling.
- You are aware of specific patterns (for example, malicious IP addresses, regions, headers) that needs filtering.
Use WAF traffic filter rules when:
- You want comprehensive, proactive protection from widespread known attack patterns (for example, injection, protocol abuse), as well as known malicious IPs, collected from expert datasources.
- You want to deny malicious requests while limiting the chance of blocking legitimate traffic.
- You want to limit the amount of effort to defend against common and sophisticated threats, by applying simple configuration rules.
Together, these rules provide a defense-in-depth strategy that allows AEM as a Cloud Service customers to take both proactive and reactive measures in securing their digital properties.
Adobe-recommended rules
Adobe provides recommended rules for standard traffic filter and WAF traffic filter rules to help you quickly secure your AEM sites.
-
Standard traffic filter rules (available by default): Address common abuse scenarios such as DoS, DDoS and bot attacks against CDN edge, origin, or traffic from sanctioned countries.
Examples include:- Rate limiting IPs that make more than 500 requests/second at the CDN edge
- Rate limiting IPs that make more than 100 requests/second at the origin
- Blocking traffic from countries listed by the Office of Foreign Assets Control (OFAC)
-
WAF traffic filter rules (requires add-on license): Provides additional protection against sophisticated threats, including OWASP Top Ten threats like SQL injection, cross-site scripting (XSS), and other web application attacks.
Examples include:- Blocking requests from known bad IP addresses
- Logging or blocking suspicious requests that are flagged as attacks
Get started
Learn how to define, deploy, test and analyze traffic filter rules, including WAF rules, in AEM as a Cloud Service by following the setup guide and use cases below. This gives you the background knowledge so you can later confidently apply the Adobe-recommended rules.
How to set up traffic filter rules including WAF rules
Learn how to set up to create, deploy, test, and analyze the results of traffic filter rules including WAF rules.
Adobe-recommended rules setup guide
This guide provides step-by-step instructions to set up and deploy Adobe-recommended standard traffic filter and WAF traffic filter rules in your AEM as a Cloud Service environment.
Protecting AEM websites using standard traffic filter rules
Learn how to protect AEM websites from DoS, DDoS and bot abuse using Adobe-recommended standard traffic filter rules in AEM as a Cloud Service.
Protecting AEM websites using WAF rules
Learn how to protect AEM websites from sophisticated threats including DoS, DDoS, and bot abuse using Adobe-recommended Web Application Firewall (WAF) traffic filter rules in AEM as a Cloud Service.
Advanced use cases
For more advanced scenarios, you can explore the following use cases that demonstrate how to implement custom traffic filter rules based on specific business requirements:
Learn how to monitor sensitive requests by logging them using traffic filter rules in AEM as a Cloud Service.
Learn how to restrict access by blocking specific requests using traffic filter rules in AEM as a Cloud Service.
Learn how to normalize requests by transforming them using traffic filter rules in AEM as a Cloud Service.