May 23, 2018 at 10:41 am #100034311junaidParticipant
How can I deploy preconfigured protections using AWS WAF?
AWS WAF is a web application firewall that enables customers to quickly create custom, application-specific rules that block common attack patterns that can affect application availability, compromise security, or consume excessive resources. AWS WAF can be completely administered via APIs which makes security automation easy, enabling rapid rule propagation and fast incident response.
Configuring a web application firewall strategy can be challenging and burdensome to large and small organizations alike, especially for those who do not have dedicated security teams. To simplify this process, AWS offers a solution that uses AWS Cloud Formation to automatically deploy a set of AWS WAF rules designed to filter common web-based attacks. Users can select from preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL), as depicted in the image to the right. Once the solution is deployed, AWS WAF will begin inspecting web requests to the user’s existing Amazon Cloud Front distributions or Application Load Balancers, and block them when applicable.
The AWS WAF Security Automations solution provides fine-grained control over the requests attempting to access your web application. The diagram below presents the architecture you can build using the solution’s implementation guide and accompanying AWS Cloud Formation templates (one for web apps deployed with Amazon Cloud Front and one for web apps deployed with an Application Load Balancer).
At the core of the design is an AWS WAF web ACL that acts as central inspection and decision point for all incoming requests. The protective functions you choose to activate will determine the custom rules that are added to your web ACL.
• Honeypot (A): This component creates a honeypot to lure and deflect content scrapers and bad bots. A discrete API Gateway endpoint (embedded in the web application) triggers a custom AWS Lambda function, which intercepts the suspicious request and adds the source IP address to the AWS WAF block list.
• SQL injection (B) and cross-site scripting (C) protection: The solution automatically configures two native AWS WAF rules that protect against common SQL injection or cross-site scripting (XSS) patterns in the URI, query string, or body of a request.
• Log parsing (D): A custom AWS Lambda function automatically parses access logs to identify suspicious behavior and add the corresponding source IP addresses to an AWS WAF block list.
• Manual IP lists (E): This component creates two specific AWS WAF rules that allow you to manually insert IP addresses that you want to block (blacklist) or allow (whitelist).
• IP-list parsing (F): A custom AWS Lambda function automatically checks third-party IP reputation lists hourly for malicious IP addresses to add to an AWS WAF block list.
• HTTP flood protection (G): This component configures a rate-based rule that automatically blocks web requests from a client once they exceed a configurable threshold.
Download PDF Implementation Guide
What you’ll accomplish:
Quickly configure AWS WAF rules using AWS CloudFormation. The AWS CloudFormation templates automatically launch and configure the AWS WAF settings and protective features you choose to include during initial deployment.
Manually customize your web ACL whenever needed using the solution’s custom whitelist and blacklist sets.
Automatically publish execution metrics to Amazon CloudWatch to review the effectiveness of your AWS WAF rules.
What you’ll need before starting:
An AWS account: You will need an AWS account to begin provisioning resources. Sign up for AWS.
An Amazon CloudFront distribution or Application Load Balancer: AWS WAF is designed to monitor requests for CloudFront distributions and Application Load Balancers. If you don’t already have one set up, see the solution’s implementation guide for more information to get you started.
Skill level: This solution is intended for IT infrastructure and security professionals who have practical experience working with web application firewalls and architecting on the AWS cloud.
Q: Can I incorporate the AWS WAF Security Automations solution into my existing web application firewall strategy?
Yes. You can aggregate existing rules and solution-created rules into a single web ACL. Note that individual web ACLs are subject to rule limits; see the AWS WAF Developer Guide for information.
Q: Can I use this solution to protect multiple web applications?
Yes. After you deploy the solution, you can associate its web ACL (with all the rules included in this solution) with multiple web applications. Note that the web ACL the solution create will be compatible with either a CloudFront distribution or an Application Load Balancer, depending on which version of the AWS CloudFormation template you use.
Q: Can I extend the functionality of AWS WAF Security Automations?
Yes. You can modify and customize all the rules provided in this solution. During initial configuration, use the template parameters to control rule behavior, as well as the code for the AWS Lambda functions.
Q: Does the AWS WAF Security Automations solution integrate with my third-party web application firewall?
No. These rules are specific to the AWS WAF service.
Q: How much will it cost to run AWS WAF Security Automations?
You are responsible for the cost of the AWS services used while running this reference deployment. The cost depends on the how many web requests your application receives and the AWS Regions where your resources are deployed. For full pricing details, see the implementation guide.
Q: Can I deploy AWS WAF Security Automations in any AWS Region?
For web apps deployed with an Application Load Balancer, you must deploy the solution’s AWS CloudFormation template in an AWS Region that supports AWS WAF for Application Load Balancers (for the most current AWS WAF availability, see AWS service offerings by region).
For web apps deployed with Amazon CloudFront, you can deploy the solution template in any AWS Region. Once deployed, AWS WAF can monitor web requests at any other CloudFront edge location.
- You must be logged in to reply to this topic.