Web Application Protection on AWS

Last updated on Sep 15, 2020

About AWS WAF

AWS WAF provides a managed Web Application Firewall for your infrastructure to protect your applications from web exploits. To be more specific, AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you have defined.

Service Features

• There is not any development needed to integrate AWS WAF with your infrastructure, it is a plug-and-play solution. It is possible to integrate this solution with AWS Load Balancer, AWS Cloudfront and Amazon API Gateway.

• You can add managed rule sets to your AWS WAF for a quick start. These managed rule sets can be managed by AWS or AWS Marketplace Resellers, depending on your choice. The best thing is there is no additional charge for using AWS Managed Rules.

• AWS WAF is integrated with Amazon Cloudwatch, which enables you to monitor traffic and rules that are matching

Common Use Cases

Protecting Web Applications Against Attacks

The AWS Threat Research Team maintains the AWS Managed Rules, with the new ones being added as additional threats are identified. You can select rule groups against SQL attacks, for admin protection or based on your operating system. The core rule set covers some of the common threats and security risks described in OWASP Top 10 publication.

Geolocation Blocking

You can use geolocation blocking to block access to your site from specific countries or to only allow access from specific countries of your choice. If you want to allow some web requests and block others based on the country of origin, add a geographic match statement for the countries that you want to allow and add a second one for the countries that you want to block.

Rate Limiting for Web Application Endpoints

A rate-based rule tracks the rate of requests for each originating IP address and triggers the rule action on IPs with the rates that go over a limit. You set the limit as the number of requests per 5-minutes time span. You can use this type of rule to put a temporary block on requests from an IP address that is sending excessive requests to your web application endpoints.

IP Restriction for Web Application Endpoints

It is possible to create a white-listed and black-listed IP set to use on IP matching rules. For example, you can limit specific endpoints or all endpoints of your application to your static office IP address.

Combined Rules

It is possible to use rules together for example to rate-limit an endpoint for a specific geo-location or IP whitelisting of your external vulnerability scanning tool on OWASP Top 10 rules to test your application.

AWS WAF Classic vs New AWS WAF

In November 2019, AWS introduced various improvements on WAF service. AWS WAF resources, like rules and Web ACLs that have been created before the new release, named as AWS WAF Classic. You can migrate AWS WAF Classic to New AWS WAF and benefit from:

• Single API to manage both regional and global WAF resources

• Support for extensive logical operations over rules

• CIDR range support

• Simplified service limits

• Shareable components between Web ACLs, such as IP Sets, Rule Groups, Regex Sets

• Web ACL Capacity Unit (WCU) calculation for your Web ACLs

Get more information from following links about AWS WAF:

• AWS WAF: https://aws.amazon.com/waf

• Managed Rule Groups: https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-rule-groups.html

• Managed Rules on AWS Marketplace: https://aws.amazon.com/marketplace/solutions/security/waf-managed-rules

• Geographic Matching: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html

• IP Set Matching: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-ipset-match.html