AWS Web Application Firewal(WAF)

Amazon Web Application Firewall (WAF) is a managed service that helps protect your web applications and APIs from common web exploits, bots, and unwanted traffic. It enables you to define custom security rules to filter, monitor, and control HTTP/S traffic.

• WAF Ecommerce Applicaton Use Cases
• WAF Management Console Exploration

1. Core Features

• Rule-Based Filtering: Amazon WAF allows you to create rules to inspect HTTP/S requests and block, allow, or count requests based on specific conditions. Conditions include IP addresses, HTTP headers, HTTP body content, URL strings, and SQL injection attempts.
• Managed Rules: You can use AWS Managed Rules and rules from the AWS Marketplace to quickly implement pre-configured protections against common threats such as SQL injection, cross-site scripting (XSS), and OWASP Top 10 vulnerabilities.
• Custom Rules: You can define your own rules using conditions like IP addresses, HTTP methods, URI paths, query strings, request headers, and more. This provides the flexibility to tailor your WAF policies to the specific needs of your application.
• Rule Groups: Combine multiple rules into a rule group to simplify management and deployment. You can create custom rule groups or use pre-built managed rule groups from AWS or third-party vendors.
• Web ACLs (Access Control Lists): A Web ACL is a collection of rules that defines the filtering logic for your web traffic. You associate a Web ACL with your application resources (e.g., Amazon CloudFront, Application Load Balancer) to enforce the desired security policies.

2. Supported Integration Points

• Amazon CloudFront: Integrate WAF with Amazon CloudFront to protect applications delivered globally through the content delivery network (CDN). This setup provides additional security benefits, such as DDoS mitigation and enhanced performance.
• Application Load Balancer (ALB): Use WAF with Application Load Balancers to protect web applications and APIs hosted on AWS. This is useful for securing applications within a VPC.
• Amazon API Gateway: Attach WAF Web ACLs to API Gateway to protect your APIs from malicious attacks, unwanted traffic, and automated bots.
• AWS App Runner: Protect web applications deployed with AWS App Runner using WAF Web ACLs to filter and monitor traffic.

3. Managed Rules

• AWS Managed Rules: AWS provides pre-configured rule groups that offer protection against common threats. Examples include:
  • AWS-AWSManagedRulesCommonRuleSet: Protects against common web exploits.
  • AWS-AWSManagedRulesKnownBadInputsRuleSet: Detects requests containing known bad inputs like SQL injection and cross-site scripting.
  • AWS-AWSManagedRulesBotControlRuleSet: Blocks or allows traffic based on bot activity, helping protect your application from unwanted bots.
• Marketplace Rules: Access additional managed rules from AWS Marketplace vendors for more specialized protection (e.g., advanced bot mitigation, threat intelligence-based filtering).

4. Custom Rules

• Rule Statements: Define rules using statements such as:
  • IP Set: Allow, block, or count requests based on the requester's IP address.
  • Geo Match: Control access based on the geographical location of the request.
  • String Match: Filter requests containing specific strings or patterns in the URL, query string, or headers.
  • Regex Match: Use regular expressions to match complex patterns in requests.
  • Size Constraint: Block or allow requests based on the size of headers, cookies, or request bodies.
  • Rate-Based Rules: Automatically block IP addresses that exceed a specified request threshold within a 5-minute period. Useful for mitigating denial-of-service (DoS) attacks.
  • SQL Injection and XSS Detection: Use built-in rule statements to detect common SQL injection or cross-site scripting patterns in requests.
• Rule Action: For each rule, you define an action (Allow, Block, Count). The action determines how WAF handles requests matching the rule's conditions.

5. Bot Control

• AWS WAF Bot Control: Provides managed rule groups that detect and control bot traffic. This allows you to block unwanted bots (e.g., web scrapers, credential stuffing bots) while allowing legitimate bots (e.g., search engines).
• Custom Responses: When detecting bots, you can configure custom responses to guide or block them based on your policies.

6. Web ACL Management

• Web ACL: A Web ACL consists of a set of rules that define the behavior for incoming HTTP/S requests. You can associate a Web ACL with one or more resources (e.g., CloudFront distributions, ALBs).
• Rule Priority: In a Web ACL, rules are evaluated in the order they are listed. Once a request matches a rule, WAF applies the associated action and stops further evaluation.
• Default Action: Define a default action (Allow or Block) that WAF applies if a request does not match any of the rules in the Web ACL.

7. Logging and Monitoring

• Request Logging: Enable logging for your Web ACLs to capture detailed information about incoming requests. Logs are sent to Amazon Kinesis Data Firehose, which can then deliver them to Amazon S3, Amazon Redshift, or Amazon Elasticsearch Service (OpenSearch) for analysis.
• Metrics and Alarms: Amazon CloudWatch provides metrics for WAF, including the number of allowed, blocked, and counted requests for each rule. Set up CloudWatch Alarms to monitor unusual activity, such as a spike in blocked requests, and trigger notifications or automated responses.
• AWS WAF Security Automations: Use AWS WAF Security Automations to automatically block malicious requests based on real-time insights, such as IP reputation lists, request rate limits, or specific attack patterns.

8. Rate-Based Rules

• Mitigate DoS Attacks: Rate-based rules allow you to limit the number of requests from a single IP address within a specified time frame (e.g., 1,000 requests in 5 minutes). Exceeding this threshold results in the IP being temporarily blocked, helping to mitigate denial-of-service (DoS) and brute force attacks.
• Dynamic Blocking: Rate-based rules are automatically enforced based on real-time traffic patterns, blocking only those IPs that exceed the defined threshold.

9. IP Address Blocking

• IP Set: Create and manage IP sets that contain IP addresses or IP address ranges. Use IP sets in rules to allow, block, or count requests from specific IP addresses, providing an easy way to control access at the IP level.
• Geo Restriction: Block or allow requests based on the geographical location of the client IP, helping enforce regional restrictions or protect against geographically dispersed attacks.

10. Integration with Other Services

• AWS Shield: Integrate Amazon WAF with AWS Shield Advanced for additional DDoS protection. Shield Advanced provides enhanced monitoring, automatic attack mitigation, and cost protection for eligible services.
• AWS Firewall Manager: Use AWS Firewall Manager to centrally configure and manage WAF rules across multiple accounts and resources within an AWS Organization. This is especially useful for large-scale or multi-account environments.
• Lambda@Edge: Combine WAF with Lambda@Edge (for Amazon CloudFront) to implement custom logic for request processing, such as advanced traffic filtering or user authentication.

11. Cost Considerations

• Pricing Components:
  • Web ACLs: You are charged for each Web ACL created.
  • Rules: Charges apply based on the number of rules per Web ACL.
  • Request Count: You pay for the number of HTTP/S requests processed by WAF.
  • Managed Rules: Additional costs for using managed rule groups from AWS or third-party vendors.
• Cost Optimization: To optimize costs, design your rule sets carefully to use only the necessary conditions and avoid excessive rule evaluation. Utilize managed rules strategically for common protections.

12. Best Practices

• Use Managed Rules: Leverage AWS Managed Rules for out-of-the-box protection against common threats (e.g., SQL injection, XSS). This reduces the need for manually defining complex rules.
• Apply Least Privilege: When creating custom rules, apply the principle of least privilege by defining conditions that are as specific as possible (e.g., blocking only specific IP addresses or query patterns).
• Monitor Traffic: Use the Count action in rules initially to monitor the effect of your rules before enabling Allow or Block. This helps ensure that legitimate traffic is not inadvertently blocked.
• Enable Logging: Set up request logging to capture details about incoming requests for audit, compliance, and troubleshooting purposes.
• Test Rule Changes: When modifying rules, test changes in a development environment before deploying them to production to avoid unintended disruptions.
• Combine with Shield: For comprehensive protection, use Amazon WAF in conjunction with AWS Shield Advanced to protect against complex DDoS attacks.