DEV Community

Arun Kumar for AWS Community Builders

Posted on

WAF for ALBs

Overview

WAF support for ALB is now available in many regions.

Clients want to provide a pattern of using ALB → (Lambda | EC2) to be secured via WAF (and HTTPS).

Clients want to minimise the maintenance footprint of adding WAF for many applications.

Architecture

arch

Pricing Details

WAF Pricing

a. WAF

  • $5 per web ACL per month
  • $1 per rule per web ACL per month (assume one rule = “core-waf-automations — SQL Injection Rule”)
  • $0.60 per million web requests

b. F5

  • Charge per month in each available region (pro-rated by the hour) $20 / unit
  • Charge per million requests in each available region $1.2 / unit

Estimates

a. WAF Pricing

  • 12 web acls (6x2 acls)
  • 10 rules per WebACL = 120 rules total = $120
  • 100 million requests = $60
  • $2,160 Annual cost

b. Market place pricing — 4x F5 managed rulesets

  • $480 for $80 per account per region per month x 6
  • $480 for 100 million requests x 4 rulesets (total requests across all accounts / regions)
  • $11,520 Annual cost

c. Total pricing estimate

  • $13,680 annual total

Solutions

a. Author is AWS themselves

b. Without dedicated security team — “web application firewall strategy” can be a hassle (even with one)

c. AWS WAF ACL — central inspection and decision point for incoming requests (for all apps that use it)

  • This solution has a bunch of preconfigured rules for use with ALB, CloudFront

  • I’m assuming we can easily integrate with marketplace rules, like the F5 ones.

d. Log analysis — more than just “waf rules to apply” — there’s mechanisms for updating rules:

  • Both WAF logs and App logs can be parsed by Athena/Lamdba to inform on HTTP Flood, Scanners & Probes

  • Scheduled cloudwatch event rule triggers lambda to maintain IP Reputation Lists

  • Bot lists also updated via a lambda.

Types of Rules

a. White/black listing (manual lists)

  • No automation setup around these lists — is the expectation you manage via AWS Console?

b. SQL Injection, XSS (patterns in URI, querystring, request body)

c. HTTP Flood (web-layer DDoS, brute force logins)

  • ConfigureRateBasedRule (Custom::ConfigureRateBasedRule — HttpFloodProtectionRateBasedRuleActivated)

d. Scanners & Probes (abnormal amount errors from an origin)

e. IP Reputation Lists (3rd party lists hourly updated)

  • spamhaus.org
  • torproject.org
  • emergingthreats.net

f. Bad Bot (honeypot to attract bots)

  • ApiGateway, Lambda

Discussion (0)