Amazon Web Services (AWS) Web Application Firewall (WAF) is a cloud-based security service designed to protect web applications by filtering and monitoring HTTP/HTTPS requests. AWS WAF allows you to control access to your application by defining rules that block or allow traffic based on IP addresses, HTTP headers, and request bodies, among other characteristics. This knowledge base covers the setup of an AWS WAF Web Access Control List (Web ACL), best practices, and troubleshooting.

AWS WAF Web ACL

What is AWS WAF?

AWS Web Application Firewall (WAF) is a fully managed service designed to protect web applications from common web exploits, such as SQL injection, cross-site scripting (XSS), and Distributed Denial of Service (DDoS) attacks. It enables users to monitor and control the HTTP and HTTPS requests that are forwarded to their application.

Key Features of AWS WAF Web ACL

• Real-time Traffic Filtering: AWS WAF filters web traffic based on user-defined rules.
• Flexible Rule Engine: Support for custom and managed rule sets to protect against known threats.
• Integration with Other AWS Services: Works seamlessly with Amazon CloudFront, Application Load Balancer (ALB), and API Gateway.
• Cost Effective Protection: Pay-as-you-go pricing model allows you to scale security according to your needs.

Prerequisites for AWS WAF Web ACL Setup

AWS Account and Permissions

Before setting up AWS WAF, you need an AWS account with the appropriate permissions to create and manage WAF Web ACLs. The necessary permissions include:

• WAFFullAccess or WAFReadOnlyAccess policies to manage AWS WAF configurations.
• AdministratorAccess or relevant permissions for services integrated with AWS WAF (e.g., CloudFront, ALB).

Supported Resources

AWS WAF can be associated with several AWS services for protecting your web applications:

• Amazon CloudFront: AWS’s Content Delivery Network (CDN) service.
• Application Load Balancer (ALB): Load balancer that distributes traffic across multiple targets.
• API Gateway: Managed service for building, deploying, and scaling APIs.

Setting Up AWS WAF Web ACL

Step by Step Guide to Create a Web ACL

1. Log in to AWS Management Console:

   • Go to the AWS Management Console and navigate to the WAF & Shield service.

2. Create a Web ACL:

   • Click on Create Web ACL.
   • Choose the AWS Region where the resources are located.
   • Name the Web ACL (e.g., MyWebACL), and specify the associated resources (CloudFront, ALB, or API Gateway).

3. Configure Resource Associations:

   • For CloudFront, select the relevant distribution.
   • For ALB or API Gateway, select the application or API that the WAF will protect.

4. Set Default Action:

   • Choose a default action (allow or block) for requests that do not match any rule. Typically, the default is Allow to avoid unintentional service disruption.

5. Add Rules to Web ACL:

   • In the rules section, you can start adding managed or custom rules to your Web ACL.

6. Review and Create:

   • Review the configuration, and click Create Web ACL to finalize.

Adding Rules to the Web ACL

You can add different types of rules to your Web ACL:

• Managed Rules: Pre-configured rule sets provided by AWS or third-party vendors.
• Custom Rules: User-defined rules based on specific IP addresses, HTTP methods, URIs, or other request characteristics.

AWS Managed Rules for Web ACL

Overview of AWS Managed Rules

AWS Managed Rules are pre-configured sets of rules designed to protect your applications from a wide range of web vulnerabilities. These rule sets are maintained by AWS and updated regularly to protect against new threats.

Best Managed Rules for Common Threats

• AWS AWSManagedRulesCommonRuleSet: Protects against common threats such as SQL injection and XSS.
• AWS AWSManagedRulesSQLiRuleSet: Focused on preventing SQL injection attacks.
• AWS AWSManagedRulesKnownBadInputsRuleSet: Blocks requests with known bad inputs and attack patterns.
• AWS AWSManagedRulesBotControlRuleSet: Identifies and blocks automated bots.

You can subscribe to these managed rule sets directly from the AWS WAF console, and each rule can be customized by enabling or disabling specific actions.

Custom Rules for AWS WAF Web ACL

In addition to AWS Managed Rules, you can create custom rules tailored to your application’s specific needs.

IP Based Rules

• IP Address Block/Allow List: Create rules to block or allow traffic from specific IP addresses or ranges.
  • Example: Block all traffic from a specific IP known for malicious activity.

Rate Based Rules

• Rate Limiting: Protect against DDoS attacks by setting rate limits on incoming requests.
  • Example: Block IPs making more than 1000 requests per minute.

Regex Pattern Matching

• Regex Rules: Use regular expressions to match specific patterns in request URIs, headers, or bodies.
  • Example: Block requests with a specific user-agent string (e.g., block traffic from outdated browsers).

Integrating AWS WAF with CloudFront, ALB, and API Gateway

CloudFront Distribution Integration

1. Associate Web ACL with CloudFront:

   • During Web ACL creation, choose your CloudFront distribution.
   • Requests passing through CloudFront will now be filtered by AWS WAF.

2. Monitor Traffic:

   • CloudFront provides real-time traffic monitoring and integrates well with AWS WAF metrics.

Application Load Balancer (ALB) Integration

1. Associate Web ACL with ALB:
   • Select your ALB as the associated resource when creating the Web ACL.
2. Access Control for Internal Applications:
   • Use AWS WAF to filter traffic entering through ALB for internal web applications.

API Gateway Integration

1. Protect APIs with AWS WAF:

   • Attach the Web ACL to an API Gateway stage to filter requests coming to your API.

2. Rate Limiting:

   • Use rate-based rules to prevent abuse of your APIs.

Monitoring and Logging AWS WAF Web ACL

CloudWatch Metrics

AWS WAF integrates with CloudWatch to provide detailed metrics on traffic and request outcomes:

• AllowedRequests: Count of requests that match rules allowing traffic.
• BlockedRequests: Count of requests blocked by WAF rules.
• CountedRequests: Count of requests that match a rule but are only counted and not blocked.

AWS WAF Logs

To gain insight into the traffic and requests filtered by AWS WAF, enable logging for the Web ACL:

1. Enable Logging:
   • In the Web ACL settings, choose a logging destination (Amazon S3 or Kinesis Data Firehose).
2. Analyze Logs:
   • Use AWS Athena or other tools to analyze WAF logs for detailed information on blocked or allowed requests.

Setting Up Alarms

Configure CloudWatch alarms to trigger alerts based on WAF metrics (e.g., when blocked requests exceed a threshold).

Security Best Practices

• Use Managed Rules: Take advantage of AWS Managed Rules for common web exploits.
• Minimize Custom Rules: Avoid overly complex custom rules that can impact performance.
• Enable Logging and Monitoring: Continuously monitor WAF logs and set up alerts for unusual activity.

Optimizing Performance

• Prioritize Rules: Place the most frequently matched rules at the top of the rule set.
• Use Rate Based Rules for DDoS Protection: Set appropriate rate limits to block malicious traffic without affecting legitimate users.
• Test Rules in Count Mode: Before deploying rules, test them in Count Mode to ensure they don't block legitimate traffic.