Introducing the AWS Firewall Factory

A few days ago we introduced our AWS Firewall Factory. A simple solution that helps you deploy, update, and stage your Web Application Firewalls while managing them centrally via AWS Firewall Manager.

What are Web Application Firewalls?

AWS Web Application Firewalls (WAFs) protect web applications and APIs from typical attacks from the Internet that can compromise security and availability, and put undue strain on servers and resources. The AWS WAF provides prebuilt security rules that help to control bot traffic and block attack patterns. However, with its help, you can also create your own rules based on your specific requirements. In simple scenarios and for smaller applications, this is very easy to implement on an individual basis. However, in larger environments with tens or even hundreds of applications, it is advisable to aim for central governance and automation. If you want to learn more about this solution or Web application firewalls in general feel free to register to this event.

Architecture

Let's take a quick look at the solution architecture. In order to be able to provision WAFs using AWS Firewall Manager to other accounts we first need to set the Firewall Manager administrator account in our AWS Organization. Additionally we need to have a central S3 Bucket which we will use for our WAF logs. The logs we could use to see potential false positives to develop custom WAF rules. The easiest way to do this is to query the S3 bucket via Athena.

But first you should just start with ManagedRuleGroups to have a base set to secure your applications. AWS Managed Rules for AWS WAF is a managed service that provides protection against common application vulnerabilities or other unwanted traffic, without having to write your own rules.

After deploying your first firewall and using ManagedRuleGroups to detect errors in your application, you can use aforementioned s3 log bucket to create queries and define your own custom rules using the false positives. You do this simply by defining the RuleStatements around your statements in your value file. During the deployment process, the solution calculates the required capacity using the CheckCapacity API from AWS and creates RuleGroups that are attached to the WAF. We have also developed an algorithm that pads the RuleGroups to the maximum RuleGroup size and only then creates a new RuleGroup.

All settings where the WAF should be deployed and with which settings (should be made) are controlled via the dedicated value file. Currently we only support a deployment via Taskfile. Later we will also support deployments via Teamcity.

Currently implemented Features

1. Automated Capacity Calculation via API - CheckCapacity
2. Algorithm to split Rules into RuleGroups
3. Automated Update of RuleGroup if Capacity Changed
4. Add ManagedRuleGroups via configuration file
5. Automated Generation of draw.io diagram for each WAF
6. Checking of the softlimit quota for WCU set in the AWS Account (Stop deployment if Calculated WCU is above the quota)
7. Easy configuration of WAF Rules trough json file.
8. Deployment Hash to deploy same WAF more than one time for testing and/or blue/green deployments.
9. Stopping deployment if soft limit will be exceeded: Firewall Manager policies per organization per Region (L-0B28E140) - Maximum number of web ACL capacity units in a web ACL in WAF for regional (L-D9F31E8A)
10. NEW RegexMatchStatement and IPSetReferenceStatement is working now 🚀
11. NEW You can now name your Rules. If you define a Name in your RulesArray the Name + a Base36 Timestamp will be used for creation of your Rule - otherwise a name will be generated. This will help you to query your logs in Athena. The same Rulename also apply to the metric just with adding "-metric" to the name.
12. New Support for Captcha - You can now add Captcha as Action to your WAFs. This help you to block unwanted bot traffic by requiring users to successfully complete challenges before their web request are allowed to reach AWS WAF protected resources. AWS WAF Captcha is available in the US East (N. Virginia), US West (Oregon), Europe (Frankfurt), South America (Sao Paulo), and Asia Pacific (Singapore) AWS Regions and supports Application Load Balancer, Amazon API Gateway, and AWS AppSync resources.

We hope you'll find this solution helpful to secure your environment! If you have any feedback about the solution, please feel free to reach out to us or open a github issue.

Comments

[Tamnasidharth]

It seems Network Firewall is just better Network ACLs. Why would you use Network ACLs over Firewall? Link

[David Krohn]

Network ACLs are just static IP-Filters for Protocols. I am using Network ACLs for a baseline of Security and a WebApplication Firewalls for my public endpoints. The Network Firewall in combination with the FMS is a good governance tool to help you to rollout your security baseline to multiple accounts. The AWS Firewall Factory is currently just for Web Application Firewalls.