How To Secure Web Applications With AWS WAF?
This article will tell you how you can Secure Web Applications with AWS WAF and follow it up with a practical demonstration. Following pointers will be covered in this article,
- Getting Started With Some Fundamentals
- Sequence of steps to get started with AWS WAF
So let us get started then,
Moving on with this article on ‘How To Secure Web Application With AWS WAF?’
Getting Started With Some Fundamentals
AWS provides services like EC2, ELB (Elastic Load Balancer), S3 (Simple Storage Service), EBS (Elastic Block Storage) to create useful and fancy applications quickly and with less CAPEX (CAPital EXpenditure). While creating these applications, it’s equally important to secure the application and protect the data. If not properly secured, the application data might get into the wrong hands as in the case of the recent Capital One incident.
Capital One hosted a Web Application on EC2 and it was not secured properly. An ex-AWS employee was able to exploit this vulnerability and download reams of customer data from S3. Later it was found that the data from 30 other organizations was also downloaded from AWS. So, to stress it again it’s not just enough to architect and design an application, but it’s equally important to secure an application.
Capital One used AWS WAF (Web Application Firewall) to protect the Web Application, but it was not configured properly because of which the hacker was able to get the access to the data in S3 and download it. In this article we will explore how to use and configure AWS WAF to protect against common web attacks like SQL Injection, XSS (Cross Site Scripting) etc. AWS WAF must be configured along with Application Load Balancer, CloudFront or API Gateway. In this scenario, we will use the Application Load Balancer. Any request from the customer via the browser will go through the AWS WAF and then to the Application Load Balancer and finally to the Web Application on the EC2. AWS WAF can be used to block the malicious request from the hackers using a set of rules and conditions.
Moving on with this article on ‘How To Secure Web Application With AWS WAF?’
Sequence of steps to get started with AWS WAF
Step 1: Creating a vulnerable web application,
The first step is to create a web application which is vulnerable to SSRF (Server Side Request Forgery) attacks as mentioned in this article on how the Capital One attack happened. This article has the sequence of steps to
- Create an EC2
- Install the required software to create the web application with SSRF vulnerability
- Create and IAM role with S3 Read Only permissions
- Attach the IAM role to EC2
- Finally, exploit the SSRF vulnerability to get the Security Credentials related to the IAM role.
Once the sequence of steps are completed in the mentioned blog, replace 5.6.7.8 with the Public IP address of the EC2 in the below URL and open it in the browser. The Security Credentials associated with the IAM Role should be displayed in the browser as shown below. This is how basically Capital One was hacked. With the Security Credentials in hand, the hacker was able to access other AWS services like S3 to download the data.
http://5.6.7.8:80?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/Role4EC2-S3RO
Step 2: Creating the Application Load Balancer
AWS WAF cannot be directly associated with a Web Application. But, can only be associated with Application Load Balancer, CloudFront and API Gateway. In this tutorial, we would be creating the Application Load Balancer and associating the AWS WAF with the same.
Step 2a: A Target Group is a collection of EC2 instances and must be created before creating the Application Load Balancer. In the EC2 Management Console, click on the Target Group in the left pane and click on “Create target group”.
Step 2b: Enter the Target Group name and click on “Create”. The Target Group will be successfully created.
Step 2c: Make sure that the Target Group is selected and click on the Targets tab and click on edit to register EC2 instances with the Target Group.
Step 2d: Select the EC2 instance and click on “Add to registered” and click on “Save”.
The instances should be registered as shown below for the Target Group.
Step 2e: Time to create the Application Load Balancer. Click on the Load Balancer in the left pane of the EC2 Management Console and click on “Create Load Balancer”.
Click on “Create” for the “Application Load Balancer”.
Moving on with this article on ‘How To Secure Web Application With AWS WAF?’
Step 2f: Enter the name of the Application Load Balancer. And make sure all the Availability Zones are selected and click on Next.
Step 2g: In the “Configure Security Settings” click on Next.
In the “Configure Security Groups” create a new Security Group or select one of the existing Security Group. Make sure that port 80 is open for accessing the web page on the EC2. Click on Next.
Step 2h: In the “Configure Routing” select “Existing target group” and select the one which has been created in the earlier step. Click on Next.
Step 2i: The target EC2 instances have already been registered as part of the Target Groups. So, in the “Register Target” tab, without any changes click on Next.
Step 2j: Finally, review all the details of the Application Load Balancer and click on Create. The Application Load Balancer would be created as shown below.
Step 2k: Get the domain name of the Application Load Balancer and replace the highlighted text it in the below URL and open the same in the browser. Note that we are accessing the Web Application via the Application Load Balancer and the Security Credentials are displayed as shown below. The below URL can be blocked by using AWS WAF as shown in the subsequent steps to stop leakage of the Security Credentials.
MyALB-1929899948.us-east-1.elb.amazonaws.com?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/Role4EC2-S3RO
Step 3: Creating the AWS WAF (Web Application Firewall)
Step 3a: Go the AWS WAF Management Console and click on “Configure web ACL”. The AWS WAF overview is shown. Here is the hierarchy of AWS WAF. Web ACL has a bunch of Rules and Rules have a bunch of Conditions which we would be creating in the subsequent steps. Click on Next.
Step 3b: Enter the Web ACL name, the Region as North Virginia (or where EC2 was created), the resource type as “Application Load Balancer” and finally select the Application Load Balancer which was created in the earlier step. Click on Next.
Step 3c: Here a condition to block a specific web application request must be created. Scroll down and click on “Create condition” for the “String and regex match conditions”.
Step 3d: Enter the name of the condition, the Type as “String match”, filter on “All query parameters” and rest of the parameters exactly as shown below. And click on “Add filter” and then on Create. Here we are trying to create a condition which matches the URL containing the value of the query parameter as 169.254.169.254. This IP address is related to the EC2 Metadata.
Step 3e: Now is the time to create a rule which is a collection of conditions. Click on “Create rule” and specify the parameters as exactly shown below. Click on “Add Condition”, Create and “Review and create”.
Moving on with this article on ‘How To Secure Web Application With AWS WAF?’
Step 3f: Finally review all the details and click on “Confirm and create”. The Web ACL (Access Control List) will be created and associated with the Application Load Balancer as shown below.
Step 3g: Now try to access the Application Load Balancer URL via the browser as performed in Step 2k. This time we would be getting the “403 Forbidden” as our URL matches the Web ACL condition and we are blocking it. The request never reaches the Application Load Balancer or the Web Application on the EC2. Here we notice that although the application is allowing the access to the Security Credentials, the WAF is blocking the same.
Step 4: Cleaning up the AWS resources created in this tutorial. The clean-up must be done in exactly same order as mentioned below. This is to ensure that AWS stops the billing for the associated resources created as part of this tutorial.
- Delete Condition in the Rule
- Delete the Rule in the WebACL
- Disassociate the ALB in the WebACL
- Delete WebACL
- Delete the Rule
- Delete the filter in the Condition
- Delete the Condition
- Delete the ALB and the Target Group
- Terminate the EC2
- Delete the IAM Role
Conclusion
As mentioned earlier, creating a Web Application using AWS is very easy and interesting. But we are also must to make sure that the application is secure and that the data is not leaked into the wrong hands. The security can be applied at multiple layers. In this tutorial we have seen how use the AWS WAF (Web Application Firewall) to protect the Web Application against attacks like matching with IP address of the EC2 Metadata. We could have also used WAF to protect against common attacks like SQL Injection and XSS (Cross Site Scripting).
Using AWS WAF or in-fact any other security product doesn’t make the application secure, but the product must be configured properly. If not configured properly, the data might get into the wrong hands as did happen with Capital One and other Organizations. Also, the other important thing to consider is that Security must be thought from day one and not to plugged into the application at a later stage.
This brings us to the end of this article on How To Secure Web Applications With AWS WAF. If you wish to check out more articles on the market’s most trending technologies like Artificial Intelligence, DevOps, Ethical Hacking, then you can refer to Edureka’s official site.
Do look out for other articles in this series which will explain the various other aspects of AWS.
1. AWS Tutorial
2. AWS EC2
3. AWS Lambda
5. AWS S3
6. AWS Console
7. AWS RDS
9. AWS Fargate
10. Amazon Lex
11. Amazon Lightsail
12. AWS Pricing
13. Amazon Athena
14. AWS CLI
15. AWS vs Azure
17. On-premise vs Cloud computing
19. How To Restore EC2 From Snapshot?
20. AWS CodeCommit
21.Top AWS Architect Interview Questions
22. How To Restore EC2 From Snapshot?
25. AWS Resume
Originally published at https://www.edureka.co on September 20, 2019.
