Hi everyone,
We are looking for Terraform templates, gcloud scripts, or proven configuration snippetsΒ suggested by GCP to optimize our GCP Cloud Armor setup. We want to avoid manual, granular signature allowlisting, as it isn't scalable and risks broadening our attack surface.
Current Setup & Threats:
-
Running standard OWASP rules (
sqli-v33-stable,xss-v33-stable) and rate limiting. -
Actively targeted by (and needing protection from) scanners, credential stuffing, and SQLi/XSS probes.
The Problems We're Facing:
-
False Positives on APIs: Our legitimate traffic relies on complex API endpoints and large nested JSON payloads with special characters, which frequently trigger WAF blocks.
-
Postman Blocked: Our Dev/QA teams use Postman for internal testing, but Cloud Armor consistently blocks these requests (likely flagging the User-Agent, missing browser headers, or payload structure).
What We Need (IaC/Script Examples): We want to distinguish attackers from legitimate API/QA traffic. Does anyone have sanitized scripts or architectural advice for:
-
API-Specific Tuning: Handling large JSON payloads without triggering OWASP false positives.
-
Safe Internal Testing: Allowing Postman/QA traffic securely (e.g., via specific header validation, secure tokens, or IP ranges) without just trusting easily spoofed User-Agents.
-
Adaptive Protection: Best practices for enabling Adaptive Protection via code to learn our API baselines dynamically.
AnyΒ best practices, code-snippets, Terraform modules, or pointers would be hugely appreciated. Thanks!