[AWS] AWS WAF (Web Application Firewall)

WAF (Web Application Firewall) is a firewall service to protect web applications from common web exploit attacks such as SQL injection or Cross-Site Scripting. You can setup the rules to filter out malicious traffic.

Features

  • It is an OSI Layer 7 firewall.
  • It monitors HTTP or HTTPS requests.
  • Blocked traffic returns HTTP 403 (Forbidden) error status.
  • Get real-time metrics and alarms through CloudWatch.
  • WAF is not for DDOS protection.
    • Use AWS Shield instead.
    • You can use WAF to control (allow/deny) traffic to protect workloads from DDOS attacks through:
      • IP set
      • Geo match

Use Cases

  • Throttle the number of API calls (limit traffic) using rate-based rules
  • Block users
    • If users generate too many 4xx errors, block traffic from those IPs.
  • Receive notification with unusual traffic

WAF Building Blocks

Components

  • Condition:
    • IP, String, or Geo matches
    • Size constraints
    • SQL injection match
    • Cross-site scripting match
  • Rule: a group of conditions
  • Rule Actions: COUNT, ALLOW, BLOCK
  • Web ACL: a group of rules

Web ACL

  • A Web Access Control List (Web ACL) gives you fine-grained control over the web requests.
  • A Web ACL can be associated with
    • CloudFront – globally on edge locations
    • API Gateway – regional
    • Application Load Balancer (ALB) – regional
    • AWS AppSync (GraphQL APIs)
  • You can reuse a Web ACL across multiple Cloudfront distributions to help reduce costs.

Logging

  • You can send Web ACL logs to
    • CloudWatch Logs
      • 5MB per second
    • S3
      • 5 minute interval
    • Kinesis Data Firehose

Setting up WAF Rules

You can customize your own rules or use Manged Rules, a pre-configured set of rules managed by AWS or AWS Marketplace Sellers.

WAF can act in 3 ways:

  • Allow all requests except the specified ones (blacklist)
  • Block all requests except the specified ones (whitelist)
  • Count the requests that match the specified conditions

You can specify the following conditions:

  • Source IP address
  • Country of origin (Geo match)
  • Values in request query parameters or headers
  • Length of a request
  • Presence of SQL code that can be malicious (SQL injection)
  • Present of script that can be malicious (Cross-site-scripting)

Rate-base Rules

AWS WAF supports a new rule type – “rate-based” rules.

  • Rate-based rules allow you to configure a rate-based threshold.
    • If, for example, the threshold for the rate-based rule is set to (say) 2,000, the rule will block all IPs that have more than 2,000 requests in the last 5-minute interval.
  • You can create a deny-list of IP addresses that exceed the configured threshold rate (configurable in web requests per trailing 5 minute period).
  • The rule can be used to protect you from use cases such as web-layer DDoS attacks, brute force login attempts and bad bots.

You can retrieve the blocked IPs like this:

# CloudFront

aws wafv2 get-rate-based-statement-managed-keys --scope=CLOUDFRONT --region=us-east-1 --web-acl-name=WebACLName --web-acl-id=WebACLId --rule-name=RuleName


# Amazon API Gateway REST API, an Application Load Balancer, an AWS AppSync GraphQL API, or an Amazon Cognito user pool

aws wafv2 get-rate-based-statement-managed-keys --scope=REGIONAL --region=us-eat-1 --web-acl-name=WebACLName --web-acl-id=WebACLId --rule-name=RuleName

Allow or Deny by IP Sets or Geo Match

IP Sets Statement

You can allow/block the traffic from the range of source IPs.

  • Create an IP set
  • Create a rule based on the IP set

Geo Match Statement

  • You can block traffic from the list of countries.

AWS Firewall Manager

  • AWS Firewall Manager manages all rules in the accounts of an AWS Organization.
  • Firewall Manager has three prerequisites:
    • AWS Organizations:
      • It is used to manage your accounts and all features must be enabled.
    • Firewall Administrator
      • You must designate one of the AWS accounts in your Organization as the administrator for Firewall Manager.
      • This gives the account permission to deploy AWS WAF rules across the organization.
    • AWS Config
      • You must enable AWS Config for all of the accounts in the Organization so that Firewall Manager can detect newly created resources.
  • Security Policies
    • WAF Rules (on CloudFront, ALB, or API Gateway)
    • AWS Shield Advanced (ALB, NLB, CloudFront)
    • Security Groups (EC2, ALB)
    • AWS Network Firewall (VPC)
    • Route 53 Resolver DNS Firewall
  • Rules – Policies – are applied to new resources in all accounts (even future) in your Organization.
Unknown's avatar

Published by Pyongwon Lee

IT (Cloud, Web) Development, Philosophy, Economics.

Leave a Comment