DEV Community

loading...
AWS Community Builders

WAF for ALBs

Arun Kumar
AWS Community Builder
・2 min read

Overview

WAF support for ALB is now available in many regions.

Clients want to provide a pattern of using ALB → (Lambda | EC2) to be secured via WAF (and HTTPS).

Clients want to minimise the maintenance footprint of adding WAF for many applications.

Architecture

arch

Pricing Details

WAF Pricing

a. WAF

  • $5 per web ACL per month
  • $1 per rule per web ACL per month (assume one rule = “core-waf-automations — SQL Injection Rule”)
  • $0.60 per million web requests

b. F5

  • Charge per month in each available region (pro-rated by the hour) $20 / unit
  • Charge per million requests in each available region $1.2 / unit

Estimates

a. WAF Pricing

  • 12 web acls (6x2 acls)
  • 10 rules per WebACL = 120 rules total = $120
  • 100 million requests = $60
  • $2,160 Annual cost

b. Market place pricing — 4x F5 managed rulesets

  • $480 for $80 per account per region per month x 6
  • $480 for 100 million requests x 4 rulesets (total requests across all accounts / regions)
  • $11,520 Annual cost

c. Total pricing estimate

  • $13,680 annual total

Solutions

a. Author is AWS themselves

b. Without dedicated security team — “web application firewall strategy” can be a hassle (even with one)

c. AWS WAF ACL — central inspection and decision point for incoming requests (for all apps that use it)

  • This solution has a bunch of preconfigured rules for use with ALB, CloudFront

  • I’m assuming we can easily integrate with marketplace rules, like the F5 ones.

d. Log analysis — more than just “waf rules to apply” — there’s mechanisms for updating rules:

  • Both WAF logs and App logs can be parsed by Athena/Lamdba to inform on HTTP Flood, Scanners & Probes

  • Scheduled cloudwatch event rule triggers lambda to maintain IP Reputation Lists

  • Bot lists also updated via a lambda.

Types of Rules

a. White/black listing (manual lists)

  • No automation setup around these lists — is the expectation you manage via AWS Console?

b. SQL Injection, XSS (patterns in URI, querystring, request body)

c. HTTP Flood (web-layer DDoS, brute force logins)

  • ConfigureRateBasedRule (Custom::ConfigureRateBasedRule — HttpFloodProtectionRateBasedRuleActivated)

d. Scanners & Probes (abnormal amount errors from an origin)

e. IP Reputation Lists (3rd party lists hourly updated)

  • spamhaus.org
  • torproject.org
  • emergingthreats.net

f. Bad Bot (honeypot to attract bots)

  • ApiGateway, Lambda

Discussion (0)

Forem Open with the Forem app