AWS WAF rule stopping Grafana CloudWatch queries

Problem : There are some AWS WAF rules configured to prevent SQL injection attacks, because of that I am not able to use Grafana CloudWatch metric query. In metric query, we can write SQL quires to fetch metrics data. I cannot delete that WAF rule due to security reasons. I need a solution or how we can modify WAF rules so that it will prevent SQL quires from other sources except Grafana CloudWatch.

Below is the sample regex used in WAF rule that is filtering SQL quires.

(?i)(\b(select|prepare|delete)\b.+\b(from|sleep|concat|elt)\b)

Because of that I am not able to save dashboards in which panels contain SQL queries.

I cannot even remove select from that. Need a solution which will prevent SQL quires from other sources except Grafana CloudWatch.

Grafana Version: Open source version- v11.0.0 (83b9528bce)

There is no solution for that. Grafana is doing “SQL injection” on purpose, not as an attack. You are using wrong security tool for Grafana. Contact your AWS support how can you whitelist Grafana in your case.

Actually all the quires that are running from Grafana cloudwatch will have below format:

Select avg(metricName) from “AWS/service” where cond

So I Want to change below regex: (?i)(\b(select|prepare|delete)\b.+\b(from|sleep|concat|elt)\b)

such that the condition will be failed when the table name is having AWS word.

I tried many ways but couldn’t get correct regex.