AWS Web Application Firewall (WAF)
The AWS web application firewall is a service that helps preventing websites and web applications from frequent web interruptions. These interruptions can affect the applications security and may consume several resources. Amazon CloudFront distribution & Application Load Balancers (ALC) responses to the web requests can be identified using AWS WAF.
With AWS WAF the user can control which traffic shall be entered and which needs to be blocked for their web applications. Several rules can be defined using AWS WAF to block regular patterns that affect your web applications.
The components of this solution can be grouped into the following areas :
1. Bad bot & scraper protection
When AWS CloudFormation script is launched, it provides the user with a honeypot URL in the output that is inserted in any web application as a hidden HTML link. So, if someone tries to hit that URL anonymously , that particular IP will be blocked, and the user won’t be able to access the web application further.
2. SQL injection protection
SQL Injection rule protects the web application from SQL injection attacks. It scans URLs, query string, headers, HTML body. Have a look at the following rules :
3. Cross-site scripting protection
Cross-site scripting protection creates a rule that protects your web application from XSS scripts. It scans URLs, query string, headers, and HTML body. Similar set of rules are defined for XSS Attacks as it was defined for SQL injection
4. Scanner & probe protection
A custom AWS Lambda function naturally parses access logs and consequently reviews for dubious conduct and adds that IP to a blocked lists of IP addresses.
5. Whitelisting & blacklisting IPs
This rule allows the user to manually whitelist or blacklist IP addresses of their choice.
6. Known attacker protection
This component is the IP Lists Parser AWS Lambda function which checks third-party IP reputation lists hourly for new ranges to block.
7. HTTP flood protection
This component provides protection against attacks from a particular IP that consist of a large number of requests . A threshold is set using this rule for defining the maximum number of incoming requests from a particular IP.
There are number of essential components relating to WAF these being :
Conditions allow you to specify what elements of the incoming HTTP or HTTPS request you require WAF to be monitor, currently these are the following conditions:
- Cross-site scripting : These scripts are written to maliciously gain access to client-side data from another user via a web application. This data could be such as stored cookies and another sensitive client information. Cross-site scripting is one of the largest vulnerabilities found in web applications these days.
- Geo Match : It allows the user to identify which countries or geography location that user would like a WAF to filter. If Geo Match functionality is being used within CloudFront if could block the traffic from any country and the same would not be able to reach AWS WAF.
- IP Addresses : This condition allows the user to specify single or multiple IP Addresses that the individual want to either allow or block as per the WAF rules.
- Size Constraints : This condition allows the user to block Traffic based on size of parts of the request which include Header, HTTP Method, Query String, Single Query Parameter, All Query Parameter, URI (Uniform Resource Identifier) & Body.
- SQL Injection attacks : These attacks can alter and read data within a database and spoof identities; some can even perform privileged functions on the database itself.
- String & Regex Matching : This allows the user to identify web requests based on strings that are contained within the requests. When a user creates a web ACL, he can select to either allow or block the request based on the string identified.
A WAF Rule allows the user to compile one or more of the above-mentioned conditions into a list, which act as a rule, where each condition is ANDed to form the complete rule.
How the conditions are Added to the Rule ?
Web ACLs (web access control lists)
Once the rules are created by the user, they can be added to the web access control list. This forms the final component in the decision process as to whether the request traffic is blocked or allowed on through to the associated CloudFront Distribution or Application Balancer.
In a Web ACL, an action is applied for each rule; these actions can either be Allow, Block or Count.
When Allowed: The request is forwarded onto relevant CloudFront distribution or ALB.
When Blocked: The request is Terminated and there is no further processing of the request.
Count : It counts the number of requests that meet the condition within that rule.
How to Setup AWS WAF ?
Creating a Web ACL
1. Choose “WAF & Shield” on AWS console
2. Click on “ Go to AWS WAF”
3. Choose “ Web ACLs”
4. Click on “ Create web ACL”
5. Enter the Relevant details on the next Page such as Web ACL Name, Region. Decide on the resource which needs to be attached to the Web ACL and click “Next”
6. The next Page is for creating conditions as mentioned above, once the condition is created click “Next”
7. The following page is for creating rules, either the user can create new rules or choose the existing ones. After creating rules and applying to Web ACL, click on “Review and Create”
8. On the last page the user can review their settings which they applied in the previous steps and click “ confirm and create”
Building Security Proactively
To Developers WAF helps them to implant security while they are writing codes, for making certain that the security is well integrated with the cloud-native applications. AWS WAF allows the developers to successfully maintain a balance with security of their web applications.
Designing Security groups and ACLs for concealing AWS resources
Designing security groups and ACLs in the Amazon virtual private cloud (VPC) allows the developer to launch AWS resources on a virtual network that is defined by themselves for preventing the AWS resources from being seen. Inbound and outbound traffic can be controlled using security groups and network ACLs at instance and VPC subnet level respectively.
The developers must define rules that are centrally deployed to all the necessary apps that requires security. For greater security and compliance to the standards, AWS services offer consistency and works seamlessly for achieving the same.
Security groups & Network access control lists (ACLs)
When launching an Amazon EC2 instance a security group would help in restricting the traffic unless an Allow rule is created for the permitting the traffic. This helps in preventing the Amazon EC2 instance to directly communicate with the traffic. Network ACLs is useful in case the user wants to specify both Allow and Deny rules, which helps in restricting different types of traffics such as TCP or UDP traffic.