Protect Web Application With AWS WAF
In this medium blog we’re going to understand what is Firewall and how can use AWS WAF to secure your AWS hosted applications or endpoints from Malicious threats, traffics & attacks. But first we need to understand what really a “Firewall” is? So according to the Google,
In simple words, Firewall checks for the traffic and verify with the rules and if it abide by the rules then firewall let the traffic reach to it’s destination otherwise it drops or stops the traffic. Now let’s understand what is AWS WAF and How can we use it to secure our AWS Hosted Application.
AWS WAF: The AWS Own Web Application Firewall
AWS WAF is a web application firewall service that lets you monitor web requests that are forwarded to an Amazon API Gateway API, an Amazon CloudFront distribution, or an Application Load Balancer. You can protect those resources based on conditions that you specify, such as the IP addresses that the requests originate from.
Why We Need AWS WAF?
Nowadays we’re deploying most of our application on AWS Cloud because of lower cost and services which provided by AWS Cloud provider makes the entire Software Development Life Cycle easy and fast. But as you might have heard of “With Great Technologies comes Great Responsibility”. Since everything is hosted on AWS Cloud, the Security of AWS Cloud is provided by the AWS but the Security of Application is our responsibility. Here comes the role of Firewall, and not just any firewall, AWS WAF i.e., AWS Web Application Firewall.
There are two types of WAF provided by AWS:
1. New AWS WAF
2. AWS WAF Classic
As the name suggest, New AWS WAF is the new and improved version of AWS WAF with many new features like AWS managed rule groups, Increased web ACL capacity etc.
Currently AWS WAF supports only 5 AWS services which are listed below,
1. AWS CloudFront
2. Amazon API Gateway
3. Application Load Balancer
4. AWS AppSync
5. Amazon Cognito User Pools
These AWS services integrate with AWS WAF seamlessly and works great.
When you choose to create Web ACL, you’ll get to choose for which service you wanted to use AWS WAF with,
Here you can choose anyone between all the 5 supported AWS services.
You can click on Add AWS resources to choose any CloudFront Distribution or Application Load Balancer or API Gateway or AWS AppSync or Amazon Cognito User Pools Service which is currently active on that AWS account and then click on Next,
Remember, you can associate the AWS resources later also.
On the next page you’ll get to choose the rules and rule groups which will be use a wall between the traffic and the service which you’ve chose to secure.
Here you can use managed rule groups or use your own created rules and rule groups.
In the managed rule groups, there are many rule groups which are created and maintained for you by AWS and AWS Marketplace sellers.
If we choose to go with AWS managed rule groups, there are two versions,
- Paid rule groups
- Free rule groups
Paid rule groups:
As we can see the Paid rule groups contains 2 rules as of now which are following,
1. Account takeover prevention
2. Bot control
These two are the paid once and the Additional fees and the capacity is mentioned. You can use these rules just by turning on the Add to web ACL toggle.
Free rule groups:
As we can see the Free rule groups contains 11 rules as of now which are following,
1. Admin protection
2. Amazon IP reputation list
3. Anonymous IP list
4. Core rule set
5. Known bad inputs
6. Linux operating system
7. PHP application
8. POSIX operating system
9. SQL database
10. Windows operating system
11. WordPress application
These 11 are the free once with the capacity is mentioned. You can use these rules just by turning on the Add to web ACL toggle.
All these rules have some special scope which are written under every rule. Make sure you use only those which are required for your application because there is a limitation of 1500 Web ACL rule capacity units per ACL.
Also, by adding unnecessary rules you’ll just end up increasing the latency of Firewall Traffic Validation.
There are also many Third party managed rule groups which you can subscribe from AWS marketplace. after subscribing you can simply Add the Rule to the Web ACL.
There is also a Default web ACL action for request that don’t match any rules,
You can choose default action to be Allow or Block.
After that you’ve chosen all the Rules and Rule Groups, you can simply click on Next at the bottom.
On the next page you’ll get to choose the Rule priority where you can set which rule will have 1st priority and which rule will have last priority so that when a traffic pass through the WAF it will check with the 1st rule first and the last rule at the end.
After selecting the rule priority, click on Next.
On the next page you’ll get to set the Amazon CloudWatch metrics for every rule which you selected in the previous pages,
You can also choose to enable sample requests with the metrics, when you’re done just click on Next.
At the end, you’ll have to review whatever you’ve done so far and then click on Create web ACL to create the new AWS WAF ACL.
You can check you created Web ACL by clicking on the Web ACLs option from the left panel.
Click on the created ACL and you’ll get a similar page shown below,
This is the Overview page where you can see the Requests per 5-minute period at the top and the Sampled requests at the bottom.
There is total 7 sections which are following,
1. Overview: Contains Requests per 5-minute period at the top and the Sampled requests at the bottom,
2. Rules: Contains the Rules which you’d selected during creation of Web ACL and many more,
3. Bot Control: Contains various categories of bots such as SEO, Advertisement, and Content Scrapers. You can specify which categories to allow or block & Account takeover preventions metrics,
4. Associated AWS resources: Contains the AWS resources which are associated with the ACL, You can add more than one resource to use with the same Web ACL rule,
5. Custom response bodies: Contains content that you can use to customize a response to blocked requests.
6. Logging and metrics: In this you can control ACL traffic Logging and Sampled requests,
7. CloudWatch Log Insights: To view CloudWatch Log Insights.
Also, the best part of the Web ACL Rules is that you can modify it as per your needs, even the Managed once, just click on any Rule and click on Edit.
When you click on Edit, it will show the Rule details,
Here we’ve chosen Amazon IP reputation list rule to modify, as we can see there is option to edit the Rule action, we can override the default rule to any listed option from the dropdown and then click on Save rule to take effect the modification & that’s it. It will take effect as soon as possible, nothing more to do.
As we can see the AWS WAF provides various functions, it is a must to have service in today’s time where threat actors are actively looking for harming your application or services.
That’s it for now regarding AWS WAF, a really useful AWS service to provide security to your application endpoints and prevent your application from malicious traffics or attacks. Thank you!
remember #SharingIsCaring ;)
