WAF (Web Application Firewall) is a firewall service to protect web applications from common web exploit attacks such as SQL injection or Cross-Site Scripting. You can setup the rules to filter out malicious traffic.
Features
- It is an OSI Layer 7 firewall.
- It monitors HTTP or HTTPS requests to ELB, CloudFront, or API Gateway.
- AWS WAF needs to be configured for a specific region if used with ALB or API Gateway, but if used with CloudFront it is configured globally.
- Blocked traffic returns HTTP 403 (Forbidden) error status.
- Get real-time metrics and alarms through CloudWatch.
Use Cases
- Throttle the number of API calls (limit traffic) using rate-based rules
- Block users – If users generate too many 4xx errors, block traffic from those IPs.
- Receive notification with unusual traffic
WAF Building Blocks
- Condition: IP, string, or geo matches; size constraints; SQL injection match; Cross-site scripting match
- Rule: a group of conditions
- Web ACL: a group of rules
Web ACL
- A Web Access Control List (Web ACL) gives you fine-grained control over the web requests.
- A Web ACL can be associated with Amazon CloudFront, Amazon API Gateway, Application Load Balancer, and AWS AppSync resources.
- You can re-use a Web ACL across multiple Cloudfront distributions to help reduce costs.
Logging
- You can send Web ACL logs to
- CloudWatch Logs
- S3
- or Kinesis Data Firehose.
Setting up WAF
You can customize your own rules or use Manged Rules, a preconfigured set of rules managed by AWS or AWS Marketplace Sellers.
WAF can act in 3 ways:
- Allow all requests except the specified ones (blacklist)
- Block all requests except the specified ones (whitelist)
- Count the requests that match the specified conditions
You can specify the following conditions:
- Source IP address
- Country of origin
- Values in request query parameters or headers
- Length of a request
- Presence of SQL code that can be malicious (SQL injection)
- Present of script that can be malicious (Cross-site-scripting)
Rate-base Rules
AWS WAF supports a new rule type – “rate-based” rules.
- Rate-based rules allow you to configure a rate-based threshold.
- If, for example, the threshold for the rate-based rule is set to (say) 2,000, the rule will block all IPs that have more than 2,000 requests in the last 5-minute interval.
- You can create a deny-list of IP addresses that exceed the configured threshold rate (configurable in web requests per trailing 5 minute period).
- The rule can be used to protect you from use cases such as web-layer DDoS attacks, brute force login attempts and bad bots.
You can retrieve the blocked IPs like this:
# CloudFront
aws wafv2 get-rate-based-statement-managed-keys --scope=CLOUDFRONT --region=us-east-1 --web-acl-name=WebACLName --web-acl-id=WebACLId --rule-name=RuleName
# Amazon API Gateway REST API, an Application Load Balancer, an AWS AppSync GraphQL API, or an Amazon Cognito user pool
aws wafv2 get-rate-based-statement-managed-keys --scope=REGIONAL --region=region --web-acl-name=WebACLName --web-acl-id=WebACLId --rule-name=RuleName
IP sets
You can block the traffic from the range of source IPs.
- Create an IP set
- Create a rule based on the IP set