DEV Community

Raghu Reddy
Raghu Reddy

Posted on • Edited on

Securing Digital Frontiers: An In-Depth Analysis of AWS WAF

What is AWS WAF

AWS WAF is a web application firewall that lets you monitor the HTTP(S) requests that are forwarded to your protected web application resources and Protect your web applications from common exploits. AWS WAF helps you protect against common web exploits and bots that can affect availability, compromise security, or consume excessive resources.

AWS WAF

How AWS WAF Works

You use AWS WAF to control how your protected resources respond to HTTP(S) web requests. You do this by defining a web access control list (ACL) and then associating it with one or more web application resources that you want to protect. The associated resources forward incoming requests to AWS WAF for inspection by the web ACL.

In your web ACL, you create rules to define traffic patterns to look for in requests and to specify the actions to take on matching requests. The action choices include the following:

  • Allow the requests to go to the protected resource for processing and response.
  • Block the requests.
  • Count the requests.
  • Run CAPTCHA or challenge checks against requests to verify human users and standard browser use.

AWS WAF Components

The following are the central components of AWS WAF:

  • Web ACLs – You use a web access control list (ACL) to protect a set of AWS resources. You create a web ACL and define its protection strategy by adding rules. Rules define criteria for inspecting web requests and they specify the action to take on requests that match their criteria. You also set a default action for the web ACL that indicates whether to block or allow through any requests that the rules haven't already blocked or allowed. For more information about web ACLs, see Web access control lists (web ACLs).

A web ACL is an AWS WAF resource.

  • Rules – Each rule contains a statement that defines the inspection criteria, and an action to take if a web request meets the criteria. When a web request meets the criteria, that's a match. You can configure rules to block matching requests, allow them through, count them, or run bot controls against them that use CAPTCHA puzzles or silent client browser challenges. For more information about rules, see AWS WAF rules.

A rule is not an AWS WAF resource. It only exists in the context of a web ACL or rule group.

  • Rule groups – You can define rules directly inside a web ACL or in reusable rule groups. AWS Managed Rules and AWS Marketplace sellers provide managed rule groups for your use. You can also define your own rule groups. For more information about rule groups, see Rule groups. A rule group is an AWS WAF resource.

Implementing AWS WAF

Create a WEB ACL

Open WAF service and click on "Create WEB ACL"
Image description

Start filling the details and select the Amazon Cloud front distributions and then select the AWS Resources option. I have already created cloud front for the demo.
Image description

Select the Cloud front from the list and click on Add.
Image description

Click on Next, we will add Rules later.
Image description

Click on Next, Will also configure rule priority later.
Image description

We don't want metrics, will select disable option and proceed with next
Image description

The final page is for review, at the end of the page select "Create WEB ACL".
Image description

Add IP with in IP Sets to block IPs

Select IP Set section

Image description

Provide IP Set name and the IP addresses in CIDR format per line
Image description
This will create a rule set kind of database which we will use to either allow or block traffic.

Create Rule Group

Select Rule groups and click on "Create Rule Group".
Image description

In the following page we need to name the Rule group and click on next.

Image description

Click on Add rule
Image description

In the following section(below image) we will be adding the actual rule to either allow, block, count, CAPTHA or challenge.

We are basically creating
regular rule to
match the statement and
if the IP originates
from any of the IP from the BlacklistedIps IP Set
then take Action to block.
Click on Add rule to proceed

Image description

We will select the rule and click on Next keeping default values.

Image description

Since we have only one rule we will simply select the rule and click on Next. If you have multiple rule you can set/manage the rule priority here.

Image description
Review the steps and click on create rule group.

Image description

  • So far we have created IP Set - kind of database
  • Created Ruleset - what to do and when to do
  • and now it is time to attach this rule to the WAF

Attach rule to WAF

Select the WAF from the dashboard.
Image description

Click on rule section.
Image description

We will add the rule group that we have already created. Select "Add my own rules and rule groups"
Image description

We have different rule types, You can play around the rule type as per your requirements. For the demo we will go with Rule group, since we already have created one.
Select the Rule group and click on Add rule.
Image description

Time to test

Go the Web URL or the Cloudfront distrubution domain name to access the site.
Image description

You will get 403: Error and showing request is blocked.

Image description


Use Cases

  • Web Application Protection: AWS WAF helps protect web applications from common web exploits, such as SQL injection, cross-site scripting (XSS), and distributed denial-of-service (DDoS) attacks.

  • Bot Management: AWS WAF can be used to detect and block malicious bots, preventing them from causing harm or consuming excessive resources.

  • Content Filtering: AWS WAF allows you to control the content that users can access on your web applications by filtering out unwanted or malicious content.

  • Rate Limiting: AWS WAF enables you to set rate-based rules to limit the number of requests from specific IP addresses or user agents, protecting against brute force attacks or excessive traffic.

  • Compliance and Regulatory Requirements: AWS WAF helps meet compliance requirements by providing protection against known vulnerabilities and attacks, ensuring the security of sensitive data.

  • API Protection: AWS WAF can be used to protect APIs from unauthorized access, API abuse, and injection attacks.

  • Geo-blocking: AWS WAF allows you to block or allow traffic based on the geographic location of the requester, helping to prevent attacks from specific regions.

  • Content Security Policy (CSP) Enforcement: AWS WAF can enforce CSP headers to control how content is loaded and executed in web applications, preventing cross-site scripting (XSS) attacks.


References
https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rules.html
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rules.html
https://crishantha.medium.com/aws-web-application-firewall-waf-ef3d46049a66

Top comments (0)