AWS WAF and AWS Shield: Are They Enough to Secure Your Environment?

During the initial years of cloud adoption, security was one of the topmost concerns. Organizations worried about how their data was secured in others’ data centers, and whether cloud providers would ensure their information wasn’t exposed. Cloud providers worked very hard to address these issues, obtaining a number of industry certifications that proved they were fully secured and following the required processes.

As a result, when organizations did switch to the cloud, they were able to leverage its benefits — IaaS, agility, durability, no CAPEX investment, and pay-per-use pricing — to scale up their businesses.

However, cloud adoption also gave attackers and hackers a new way to launch layer 3, layer 4, layer 7, and mass DDoS attacks against the environment. Today, these attacks are testing the limits of cloud providers and the ability of applications to handle such events. In response, cloud providers are continuously investing in building new services and features that can block the malicious traffic at the perimeter level. To manage application web security and protect applications from malicious requests, Amazon has released two services — AWS Web Application Firewall (AWS WAF) and AWS Shield — with the aim of mitigating web and DDoS attacks.

AWS WAF Capabilities

AWS WAF was launched in late 2015 with the goals of adding an extra layer of security protection to customer environments and improving applications’ availability by protecting them from common web exploit attacks. AWS WAF can only be used for environments hosted on AWS. It helps customers protect their environments from SQL injection attacks, cross-site scripting attacks, and it filters requests based on URI, IP addresses, HTTP headers, and HTTP body.

AWS WAF was initially intended to be used with Amazon CloudFront, and was later extended to Application Load Balancers. It allows organizations to create custom web access control lists (web ACLs) that can consist of conditions to inspect the traffic — which then become the rules. Against each rule, there is a corresponding action (allow, block, or count). The count mode can help organizations observe the traffic pattern and decide whether a specific rule should be used in allow or block mode.

One of the purest examples of this is the rate-limiting feature. With this feature, if there are more than 2,000 requests received from an IP in a five-minute period, the IP address will be automatically blocked. Another example is the URI-based exploits performed by hackers. Many attackers try to exploit WordPress vulnerabilities by sending brute-force login requests to the /wp-login.php page. They also try to exploit PHPMyAdmin vulnerabilities by sending requests to the /phpmyadmin/index.php URI. For non-WordPress or non-phpMyAdmin users, these types of requests are a waste of resources and end up with 404 errors in the logs. However, the risk increases when a web application receives large volumes of such requests, caused by an attacker trying out the random URIs and attempting to consume the compute resources. This creates denial-of-service attacks.

AWS Shield Capabilities

Due to the simplicity and cost-effectiveness of the managed AWS WAF service, it has been widely adopted by AWS consumers. To expand security capabilities further, AWS launched AWS Shield, a managed DDoS service that protects customers’ applications from denial-of-service attacks. AWS Shield was launched with two modes: Standard and Advanced.

AWS Shield Standard

AWS Shield Standard works at the transport layer, providing quick detection and inline attack mitigation. It is free-of-charge for AWS customers.

• Quick detection: Continuously monitors the network flow and identifies malicious traffic in real time by analyzing traffic signatures, anomaly algorithms, and other techniques.
• Inline attack mitigation: Focuses on several techniques, like deterministic packet filtering and priority-based traffic shaping, to automatically mitigate attacks without impact on applications.

AWS Shield Advanced

AWS Shield Advanced provides key features like enhanced detection, advanced attack mitigation, attack notification, and DDoS cost protection — in addition to the AWS Shield Standard capabilities. Unlike Shield Standard, it is not free; customers must sign a 1-year commitment to pay both a fixed monthly fee and usage fees. It offers:

• Enhanced detection: Allows users to monitor network logs and enable enhanced monitoring at the application layer by performing integration with AWS Load Balancers, Amazon CloudFront, Amazon Route 53, and Amazon EC2. Organizations can allow AWS WAF rules at the Application Load Balancer or CloudFront layer to provide more DDoS protection, based on the customs rules.
• Advanced attack mitigation: Provides automatic DDoS mitigations to applications by provisioning necessary infrastructure capacity to handle massive DDoS attacks. The application-layer attacks can be mitigated by leveraging AWS WAF. AWS Shield Advanced grants customers access to a 24/7 DDoS response team (DRT). If required, DRT applies manual mitigations to tackle such attacks.
• Attack notification: Provides visibility and notifications for transport and application-layer attacks (not available in AWS Shield Standard).
• DDoS cost protection: This is vital for customers affected by DDoS attacks. AWS provides credits for the DDoS scaling charges.

Are AWS WAF and AWS Shield Enough?

Many organizations still have this question: Can AWS WAF and AWS Shield sufficiently protect their applications from web exploits and DDoS attacks? This depends on the nature of the application and the criticality of the workloads hosted on the cloud. While both services provide multiple ways to mitigate these challenges, they still lack some critical capabilities. The key gaps are as follows.

Outdated Rules

Organizations need security-focused personnel who continually leverage log analysis tools, examine traffic request patterns, identify new sets of rules (or required modifications to existing rules), test those rules, and implement them as AWS WAF rules. This is obviously a complicated and time-consuming process, which must be followed on a regular basis and lacks real-time auto updating. It puts the environment at risk, as the rules are not automatically tuned to the current traffic pattern.

Lack of Visibility

AWS WAF only retains traffic patterns for the last five minutes and it does not provide historical information which can be used by security teams. Also, the visualizations are not rich enough, further adding to the workload for security teams. Trained personnel must constantly analyze load balancer and AWS WAF logs to decide which rules should be enabled and if the applied rules are adequate.

Possible Need to Purchase Managed Rules for AWS WAF

As mentioned, it can be difficult for organizations to decide on the set of rules which should be implemented for their applications (not just according to the current pattern, but also according to industry best practices). Many security companies have published their Managed Rules for AWS WAF on AWS Marketplace. This allows organizations to directly choose the rules package and implement across their environments. The customer, however, doesn’t have any visibility on how the rules are applied or if there is a possibility to skip a rule.

A Better Solution

Reblaze is a comprehensive cloud security platform, which converts AWS WAF and AWS Shield into a complete web security solution. Reblaze fills the gaps in AWS WAF and AWS Shield:

• Fully integrated service. Reblaze is a cloud SaaS platform, which integrates seamlessly with AWS. It blocks hostile traffic in the cloud before it can reach the protected web assets (customer sites and web applications).
• Comprehensive protection. In addition to a next-generation WAF/IPS and DoS/DDoS protection (both of which go beyond the capabilities of AWS WAF and Shield, as discussed below), Reblaze also provides advanced bot detection and management, real-time traffic control, full traffic transparency, and many other benefits.
• Sophisticated threat detection. Reblaze uses a multivariate approach to accurately recognize attack traffic, using a variety of techniques, including Application Whitelisting, Behavioral Analysis, Blacklisting, fine-grained ACL capabilities, and more.
• Always up-to-date. As a fully managed SaaS platform, Reblaze is maintained remotely by a team of security experts. It is always up-to-date, and always effective.
• Machine Learning. Reblaze continually analyzes global web traffic (currently processing over 3.5 billion http/s requests per day), to recognize new attack patterns as they occur, then immediately and automatically updating the security rules for all Reblaze deployments worldwide. Even as new web threats arise, Reblaze evolves and hardens itself against them.
• Adaptive DoS/DDoS Protection. Reblaze provides full-scope DoS/DDoS protection across all layers. (This even includes the application layer; Reblaze uses machine learning to identify the unique traffic patterns for each application it’s protecting.) Legitimate traffic is allowed through, while hostile traffic is blocked in the cloud, before it affect the network’s incoming Internet pipe.
• Cost and (No) Commitment. For a monthly subscription that’s comparable to the fee for AWS Shield Advanced, Reblaze provides everything that Shield Advanced does, and much more. And unlike Shield Advanced, there’s no long-term commitment. Reblaze is offered on a month-to-month basis, and can be deployed with a simple DNS change. It’s simple and easy to try Reblaze.

Conclusion

Security is not a product; it is a process. AWS WAF and AWS Shield are good starting points for users who want to implement security for their environments. However, organizations with important web applications have more extensive security needs than what these products can provide. Reblaze offers comprehensive, robust web security in a fully managed, easy-to-use solution. If you’d like to learn more, here’s how to get in touch with us.