AWS Web Application Firewall (WAF)
[Highly Configurable and Scalable, Cloud Native web application Layer-7 firewall giving you the first line of defense.]
There are many security threats that exist today in a typical enterprise distributed application.
- DDoS: Flood Attacks (SYN Floods, UDP Floods, ICMP Floods, HTTP Floods, DNS Query Floods), Reflection Attacks
- Application Vulnerabilities: SQL Injections, Cross Site Scripting (XSS), Open Web Application Security Project (OWASP), Common Vulnerabilities and Exposures (CVE)
- Bad Bots: Crawlers, Content Scrapers, Scanners and Probes
Out of these, AWS WAF can be used to handle security threats such as SQL injections, Cross Site Scripting (XSS) in a typical web application.
The web application HTTP requests, can be routed via AWS WAF and then will be forwarded to either one of the AWS services.
- AWS CloudFront (A Global Service)
- AWS API Gateway (A Regional Service)
- AWS Application Load Balancer (A Regional Service)
Logging and Monitoring of WAF are handled by Kinesis Firehose and CloudWatch respectively.
Web ACL
When WAF associating any of the above three AWS services, it associates with a Web ACL. A Web ACL is a fundamental component of WAF, which defines a set of rules for any of these services (See Figure 2).
As mentioned, a Web ACL is a collection of rules. A rule is a collection of conditions (See Figure 3).
How to create a Web ACL in WAF?
In order to demonstrate the WAF capability, it is always good to go through a simple scenario that can showcase its capability. Here, I am going to block a CloudFront distribution, which I created sometime ago. So, if you are trying this out, please make sure you have one of the services (CloudFront, API Gateway or ALB) is created already before trying this out.
P.Note: You can try out one of my blogs get an understanding of how to create your own CloudFront distribution on AWS [3]. Probably that can help you if you are not familiar with CloudFront.
Task 1: Describe a Web ACL and associate it to AWS resources
Go to AWS WAF → Web ACLs → Click Create Web ACL button (See Figure 4).
Give a name to Web ACL and associate a Resource Type to it. Here we are associate a CloudFront distribution (See Figure 5), which I have already created before. You can attach this to not only CloudFront but ALB and API Gateway as well.
P.Note: If you select a CloudFront, then you need to select “Global” as the scope since it is a Global service. If you select either ALB ot API Gateway, you will have to select a region where the associate resource is located.
Click Add AWS Resources button to associate the CloudFront Distribution that you created before (See Figure 6).
Click Next button and you will get another page to add your rules to Web ACL. We will skip this for the moment allowing us to do it at a later stage.
Select Allow for Web ACL Action as well.
(P.Note: Web ACL Action defines what you are going to do when the defined rule is active)
Leave Set Rule Priority as it is and click Next.
Leave Configure Metrics and click Next.
Finally review your selections and click Create Web ACL button.
The above will create a Web ACL without any rules. You can go back to Web ACL link and you will see the below. Make sure not to select a region and select Global (CloudFront) in the top drop down to see your created Web ACL (See Figure 7).
However, even if you see a created Web ACL, CloudFront propagation for this update will take a bit of time. You can see it if you visit the CloudFront console page. Give a little bit of time finish the CloudFront propagation before you start the next step.
Task 2: Add a Condition to block my IP address
Go to AWS WAF → IP Sets → Click Create IP Set button.
Select IPV4 and give your IP address with /32 as the postfix. If you are not sure how to get your network’s public IP, you may type “What is my IP” on Google. It is that simple (See Figure 8).
Task 3: Add a Rule to the created condition
In order to create a rule, you need to create a Rule Group.
Go to AWS WAF → Rule Group → Click Create Rule Groups button (See Figure 9)
Click Next → Click Add Rule button → Set the following parameters to create a Rule
Rule Name → MyRule
If a Request → Select Matches the requirement
Statement (Inspect)→ Select Originates from an IP Address In
Statement (IP Set) → Select the IP Set that you created in Task 2
Action → Select Block
Click Next
Select the Rule Priority. This is not required here since you have only one rule.
Finally review your selections and click Create Rule Group to confirm your rule settings.
Task 4: Add the created Rule Group / Rule to the Web ACL
Go to AWS WAF → Web ACL → Select the Web ACL that you have created → Click Rules tab (See Figure 10).
You can see the Web ACL still does not have its rules attached.
Click Add Rules button drop down → Select Add my own rules and rule groups
Give a name for the rule that you are specifying here (See Figure 11).
[P.Note: I strongly feel the new WAF UI has some issues related its fields. This is a good example of having to define Rule name twice. Once under the Rules Group and once under Web ACL rule attachments.]
Select the Rules Group that you created from the drop down and click Add rule button and then click Save.
Now you can see the added rule is attached to the Web ACL.
Now it is time to browse the web URL that you have blocked for your IP. If all fine, it will be similar to below screen (See Figure 12).
If you want to remove the blocking, you can go to the Web ACL and delete the related Rule and try the web link again. After a few refresh attempts, you will get your site back.
References
- Orchestrate Perimeter Security Across Distributed Applications (re:Invent 2018): https://www.youtube.com/watch?v=ELIiF-jE0y8
- Protecting you web application using AWS Managed Rules for AWS WAF: https://www.youtube.com/watch?v=ll-uvVgQ3Jg
- Connecting your website securely via AWS Route 53, CloudFront and AWS ACM: https://medium.com/@crishantha/connecting-your-website-securely-via-aws-route-53-cloudfront-and-acm-eb442ede7ef5