DEV Community

A Random Guy
A Random Guy

Posted on

AWS WAF Security Basics

#aws #security #waf #cloud

AWS WAF (Web Application Firewall) is a service that helps protect your web applications or APIs from common web exploits that could affect availability, compromise security, or consume excessive resources. It enables you to control how traffic reaches your applications by creating security rules that block common attack patterns.

AWS WAF:

  • How it Works:
    AWS WAF operates by allowing you to create protection packs or web ACLs (Access Control Lists), which are the main deployment units. These web ACLs are associated with AWS resources like Amazon CloudFront distributions, Application Load Balancers, API Gateway APIs, Amazon Cognito user pools, AWS AppSync APIs, and AWS Verified Access instances. The web ACLs contain rules and rule groups that define the conditions under which web requests are allowed, blocked, or counted.

  • Rules and Rule Groups:

    • Rules contain rule statements that specify how AWS WAF inspects web requests. These statements can inspect various parts of a request, such as IP addresses, geographical origin, strings (including regex patterns), size of components, and the presence of malicious SQL code (SQL injection) or scripts (cross-site scripting).
    • Text transformations can be applied to web request components before inspection to normalize the data and thwart attackers attempting to bypass WAF by using unusual formatting (e.g., URL decoding, HTML entity decoding).
    • Rule groups are collections of rules that you can reuse. You can create your own custom rule groups or use AWS Managed Rules rule groups, which are pre-configured sets of rules provided by AWS or AWS Marketplace sellers to protect against common threats.
      • Web ACL Capacity Units (WCUs): Each rule and rule group consumes WCUs, which represent its operational capacity. More complex rules or rule groups consume more WCUs. Actions: When a rule matches a web request, it can perform one of several actions:
      • Allow: Permits the request to be forwarded to the protected resource.
      • Block: Stops the request from reaching the resource, typically returning an HTTP 403 (Forbidden) status code by default, though custom responses can be configured.
      • Count: Counts the request without affecting its handling, useful for monitoring and testing new rules.
      • CAPTCHA and Challenge: These actions are used for intelligent threat mitigation. CAPTCHA requires the end user to solve a puzzle, while Challenge runs a silent background verification to confirm the client is a legitimate browser. Intelligent Threat Mitigation: AWS WAF offers advanced managed rule groups for specific threats:
      • AWS WAF Bot Control: Helps manage bot traffic, distinguishing between legitimate bots (like search engines) and malicious bots (like scrapers). It leverages detection techniques such as browser interrogation, fingerprinting, and behavioral heuristics.
      • AWS WAF Fraud Control Account Creation Fraud Prevention (ACFP): Prevents the creation of fraudulent accounts by inspecting account registration and creation attempts, including the use of stolen credentials. It requires configuration of your application's registration and account creation page paths and request payload types.
      • AWS WAF Fraud Control Account Takeover Prevention (ATP): Protects against account takeover attempts by monitoring login traffic, detecting suspicious activities like password traversal, and checking against stolen credential databases. It also requires configuration of your application's login page details.
      • Distributed Denial of Service (DDoS) prevention: AWS WAF can be integrated with AWS Shield to mitigate application layer DDoS attacks.

  • Configuration and Management:AWS WAF offers an updated console experience with simplified workflows for setting up protection packs and web ACLs. This involves specifying application categories, traffic sources, and associating AWS resources. You can choose recommended protection rules or build your own custom rules.

  • Logging and Monitoring:You can configure AWS WAF to send detailed logs of web requests to various destinations like Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose. These logs include information about matched rules, actions taken, and labels applied to requests. Data protection settings allow you to redact or hash sensitive information in logs for fields like body, query string, headers, and cookies.

  • AWS WAF Classic:It's important to note that AWS WAF Classic is undergoing a planned end-of-life process, and migration to the latest version of AWS WAF (v2) is recommended. The newer AWS WAF (v2) offers simplified quotas, WCU-based capacity limits, variable CIDR range support for IP sets, chainable text transformations, and an improved console experience compared to AWS WAF Classic.

    Think of AWS WAF as a vigilant bouncer at the entrance of your exclusive club (your web application). You give the bouncer a set of rules (your web ACLs, rules, and rule groups) specifying who is allowed in, who gets turned away, who just gets noted, or who needs to pass a quick test (CAPTCHA/Challenge) before entry. The bouncer keeps a detailed log of every interaction (logging) and can even identify sophisticated troublemakers (intelligent threat mitigation) based on their behavior or known bad lists, ensuring only the desired guests get through.

Top comments (0)