In the WAF Dashboard, click on Web ACLs in the left-hand menu to view a list of existing Web ACLs.
Click on a specific Web ACL to explore its details, including Rules, Metrics, Logging, and Monitoring.
Rules:
Within a selected Web ACL, navigate to the Rules section to see the configured rules and rule groups. This section defines the conditions that filter traffic (e.g., IP blocklists, SQL injection protection, cross-site scripting protection).
Logging and Monitoring:
In the Logging and metrics section, view the settings for logging and monitoring traffic that passes through the Web ACL. Proper logging is essential for operational monitoring and incident response.
3. Exploring the AWS Well-Architected Framework Pillars
Within a Web ACL, go to the Metrics tab to review traffic patterns and the number of requests allowed, blocked, or counted. Use these metrics to identify any unusual spikes or patterns in web traffic, which may indicate issues.
Logging:
In the Logging and metrics section, check if logging is enabled. Logs can be sent to Amazon Kinesis Data Firehose, S3, or CloudWatch Logs. Enabling logging helps with the analysis of web traffic and supports operational troubleshooting.
Rule Management:
Under the Rules tab, review the list of active rules and their order. The order in which rules are evaluated is critical for operational efficiency, as it determines how incoming web requests are filtered.
Automatic Updates:
If using AWS Managed Rules (visible in the rules section), review their usage. Managed rules are automatically updated by AWS, reducing the operational overhead of manually maintaining security rules.
Within the Rules section of a Web ACL, review the configured rules, including IP blocklists, rate-based rules, SQL injection filters, and cross-site scripting protections. Ensure that the rules cover common web application vulnerabilities and align with your security policies.
Managed Rules:
Check for AWS Managed Rules in the rules list. Managed rules provide out-of-the-box protections against common threats such as the OWASP Top 10 vulnerabilities, enhancing the security posture of your application.
IP Allow and Block Lists:
In the Rules section, look for rules that use IP sets. Properly configured IP blocklists and allowlists restrict access to the application, ensuring that only trusted IP addresses can interact with your resources.
Logging and Monitoring:
Ensure that Logging is enabled to capture requests that match WAF rules. Storing logs in Amazon S3 or CloudWatch Logs provides a detailed record of access attempts, which is crucial for forensic analysis and identifying security threats.
In the Rules section, review if any Rate-based rules are configured. These rules help limit the number of requests from a single IP address, mitigating the impact of denial-of-service (DoS) attacks and preserving the reliability of your web application.
Managed Rules for Automated Protection:
If AWS Managed Rules are used, they provide automated protection against common threats, reducing the need for manual intervention and increasing the overall reliability of the security posture.
Web ACLs Association:
Check the Associated resources tab to verify which resources (e.g., CloudFront distributions, API Gateway, Application Load Balancers) are protected by the Web ACL. Ensuring that the correct resources are associated with the Web ACLs maintains the reliability of your application's security.
In the Metrics section, monitor the Number of requests to identify trends in web traffic. Understanding traffic patterns helps optimize rule configurations and prevent unnecessary rule evaluations, potentially reducing costs.
Rule Scope:
Review the Rules in the Web ACL for their scope and specificity. Avoid using overly broad rules that could lead to unnecessary processing of requests. Fine-tuning rules can help optimize costs by reducing the number of rules evaluated for each request.
Use Managed Rules:
Evaluate the use of AWS Managed Rules versus custom rules. Managed rules can offer cost-effective, automatically updated protection, reducing the operational burden and costs associated with managing custom rules.
Log Only Necessary Data:
In the Logging and metrics section, if logging is enabled, ensure that logs capture only necessary data to optimize storage and processing costs. For example, you can choose to log only specific fields or request attributes.
Under the Rules tab, review the order of rule evaluation. Place the most restrictive or frequently matched rules at the top of the list to reduce processing time for each request, enhancing the performance of your web application.
Rate-Based Rules:
Rate-based rules help manage the traffic flow to your application, preventing excessive requests from specific IP addresses. This can optimize the performance of your web application by reducing the load during traffic spikes or potential attacks.
Use of Managed Rules:
Check if AWS Managed Rules are in use. Managed rules are optimized for performance and automatically updated to handle new threats, reducing the need for manual updates and maintaining efficient web application protection.
Monitoring and Metrics:
Use the Metrics tab to identify any performance bottlenecks caused by specific rules. Monitoring allows you to optimize the rules for better efficiency, such as fine-tuning regex patterns or simplifying match conditions.
Use Amazon CloudWatch (accessible through the Logging and metrics section) to set up alarms for critical metrics such as an unusual spike in blocked requests. This proactive monitoring helps identify security incidents and performance issues.
AWS Config and Security Hub:
If AWS Config and Security Hub are enabled, review compliance findings related to WAF configurations. This ensures that your WAF rules and settings adhere to security best practices and compliance requirements.