Challenge 4: Configure Bot Management

Previous Challenge

Description

Create Cloud Armor security policy rules for Bot Management

In this section, you will use Cloud Armor bot management rules to allow, deny and redirect requests based on the reCAPTCHA score. Remember that when you created the session token site key, you set a testing score of 0.5.

  • In Cloud Shell, use gcloud to create a reCAPTCHA security policy.

  • Update the security policy to use a reCAPTCHA Enterprise manual challenge to distinguish between human and automated clients.

    • You will need your challenge-page site key created earlier.

Tip For the bot management policies, you’ll need expressions that use request.path.matches() and token.recaptcha_session.score values to match on.

  • Add a bot management rule to the policy to allow traffic if the url path matches good-score.html and has a score greater than 0.4.

  • Add a bot management rule to the policy to deny traffic with a 403 if the url path matches bad-score.html and has a score less than 0.6.

  • Add a bot management rule to the policy to redirect traffic to Google reCAPTCHA if the url path matches median-score.html and has a score equal to 0.5.

  • Attach this reCAPTCHA security policy to the backend service of your Load Balancer. Make sure it is available globally.

Note Remember that since we’re in testing mode, our score is fixed to 0.5. So we have to explicitly make sure we fail when going to bad-score.html and pass when going to good-score.html

Validate Bot Management with Cloud Armor

  • Open up a browser and go to http://{LoadBalancer_IP_Here}/index.html. Click on the movie Brooklyn Dreams. Verify you are allowed through.

    armor good score

  • Open a new window in Incognito mode to ensure we have a new session and go to http://{LoadBalancer_IP_Here}/index.html. Click on the movie Thorned. Verify you receive a HTTP 403 error.

    armor bad score

  • Open another new window in Incognito mode to ensure we have a new session and go to http://{LoadBalancer_IP_Here}/index.html. Click on the movie La Cucina in Crisis. Verify you see the redirection to Google reCAPTCHA and the manual challenge page.

    armor recaptcha click check

Verify Cloud Armor logs

Explore the security policy logs to validate bot management worked as expected.

  • In the Console, navigate to the logs for the reCAPTCHA policy you created.

  • You should see the following MQL (Monitoring Query Language) query get pre-populated:

      resource.type:(http_load_balancer) AND jsonPayload.enforcedSecurityPolicy.name:({YOUR_POLICY_NAME})
    
  • Verify a log entry exists in Query results where the request is for each rule (good, bad and median)

  • Verify that the configuredAction is set to ALLOW, DENY or GOOGLE_RECAPTCHA with the name recaptcha-policy.

    armor good results

    armor bad results

    armor median results

Note Cloud Armor security policies create logs that can be explored to determine when traffic is denied and when it is allowed, along with the source of the traffic.

Success Criteria

  • You’ve configured the Cloud Armor security policy rules for Bot Management
  • The policy has been attached to the backend
  • Users with a good score are allowed through
  • Users with a median score are redirected to the reCAPTCHA manual challenge
  • Users with a bad score are not allowed through
  • A score is recorded in the Cloud Armor logs when a user attempts to access movies in the gHacks+ streaming site.

Learning Resources

Previous Challenge